register_globals in php.ini

scorpioy

I'm using my own machine to test two projects, one is developed with 'register_globals' disabled. The other requires it to be enabled. Once it is enabled, the first project becomes having some bugs.

I want to work with two projects simultaneously. Is there any way to enable some setting for one folder, but not the other?

Thanks.

tsinka

Hi,

which web server do you use ?

Thomas

scorpioy

Here it is

Webserver: Apache/1.3.28 (Win32) PHP/4.3.3
Database: 5.0.0-alpha
PHP: 4.3.3

Thanks

Roger_Ramjet

Yes, is the short answer. Provided the two project are in two seperate directories then you can set different php configurations for each with an .htaccess file in the root of each project.

php_flag register_globals 0 will turn them off and
php_flag register_globals 1 will turn them on

scorpioy

Thanks for the help. It works now.

Although I saw the php.ini documents that enabling register_globals would cause security problem. and people also say don't do in that way, I am curious about what exactly reasons result in the security problem. Could someone give me some examples to show why?

Thanks

MarkR

Register_globals creates several different security problems:

If you accidentally "forget" to define a variable, the user can get whatever value they want into it just by passing it through as a cookie / get / post etc
Using cross-site scripting, a malicious user may be able to persuade code to run as a legitimate user, to do something they hadn't explicitly requested.

Consider a privileged user having a cookie which stores their privilege level. Using cross-site scripting, it would not normally be possible to produce a POST, but you could make a GET by just linking the user to a page with a normal anchor.

Something like a POST payload would not normally be able to be triggered automatically by a malicious user from another site. but if you are using register_globals and just using $blah, then using cross-site scripting they might be able to get in.

Basically it's all a bit dodgy.

Your best bet is to test whether register_globals is enabled at runtime, and throw an error if it is, so that you notice if it "accidentally" gets switched back on.

That's what I do.

Mark

Roger_Ramjet

See this link for a practical solution to some of the security problems in PHP: http://www.sitepoint.com/print/write-secure-scripts-php-4-2

Attached article gives in depth look at the problem. It cinclude URLs for further articles etc if you are interested.

Basically, always have register globals off. This is the recommended setting in later PHP release. Unfortunately, most hosts set them on. They justify this on the grounds that older sites on the same server will require them on.