Can register_globals be set to "on" safely?

Lido

I'm running a low traffic site running scripts written for us a few years ago that require register_globals to be on in order for the session management to work. What can I do to make this less risky?

NogDog

The only real danger that I am aware of is if your script uses an uninitialized variable in some way such that if the user submits post or get data that would create that variable via register_globals, then possibly unwanted things could happen.

One way to check if this could be a problem is to turn on all error reporting including notices, and check to see if you get any notices about using uninitialized variables. If so, then that script should be modified to ensure that the variable in question is initialized (normally to an empty value) before it is used. This could be done globally at the php.ini level or at the directory level via .htaccess (if using Apache) by setting display_errors 1 and error_reporting E_ALL. Or you could do it at the script level with the following at the start of the script:

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);

Once done debugging, you should turn off display_errors so that things you might not want malicious users to see do not get displayed (and instead review your PHP error logs to see if things are running OK).

However, for forward compatibility, the better solution is to remove all dependencies upon register_globals and then turn it off, since it won't even be an option in PHP6.

bradgrafelman

Lido wrote:
What can I do to make this less risky?

My only suggestion is one that NogDog mentioned:

NogDog wrote:
the better solution is to remove all dependencies upon register_globals and then turn it off

nrg_alpha

NogDog;10902091 wrote:
....
Once done debugging, you should turn off display_errors so that things you might not want malicious users to see do not get displayed (and instead review your PHP error logs to see if things are running OK).

Definitely good advice. However, am I correct in assuming that any hosting company worth their salt disables that ability to display such error onscreen messages by default?

bradgrafelman

That depends entirely on the host. According to the manual, the default value for display_errors is enabled, so perhaps some hosts take that into consideration and leave it as such. It doesn't necessarily classify them as a "bad" host; they're simply following standards laid in place by the developers of the software, leaving any custom configuration up to the end user (who should be just as knowledgeable in PHP - a smart host shouldn't/can't make up for an illiterate user).

NogDog

If you are allowed to use .htaccess file php settings, you can set it that way even if php.ini has it turned off. And if not, you can always search through your PHP error logs.

And of course, you could download the site to your PC, install WAMP/LAMP locally, and test it there with whatever settings you want to use. 🙂

nrg_alpha

NogDog;10902327 wrote:
...
And of course, you could download the site to your PC, install WAMP/LAMP locally, and test it there with whatever settings you want to use. 🙂

No XAMPP? (that's what I use locally... hopefully that isn't bad.. sure seems to work solidly... Don't need to configure anything (haven't dealt with MySQL yet thought).

NogDog

I was using WAMP/LAMP in the generic context (Windows|Linux Apache MySQL and PHP), not specific installation tool name context. 🙂

For Windows I do happen to prefer WAMP[server] (the installation tool) over XAMPP because I like its runtime user interface better, though I haven't looked at XAMPP for some time now so it may not be as much of an issue any more.