Registered Globals ON/OFF

[Maljonic]

Casn someone explain Registered Globals to me, what it means, I read up on it a bit but I still don't quite get it. Plus how do you switch to off?

 

[JingleBells]

To summarise $_GET and $_POST, imagine a form like so (sorry shovel, cba adding <label> to this example ):

<form action="phpPage.php" method="GET">
Name: <input type="text" name="name" /><br>
Email: <input type="text" name="email" /><br>
<input type="submit"/>
</form>

with register globals ON phpPage might look like this:

<?php
echo "Hi ".$name.", your email address is ".$email.".";
?>

with register globals OFF phpPage might look like this:

<?php
echo "Hi ".$_GET["name"].", your email address is ".$_GET["email"].".";
?>

If the form method was POST, then $_GET would be $_POST of course


To summarise something like REMOTE_ADDR (which returns the IP of the person viewing the page), with Register Globals ON you'd do the following:

<?php
echo "Hi, your IP address is: ". $REMOTE_ADDR ;
?>

with Register Globals OFF you'd do the following:

<?php
echo "Hi, your IP address is: ". $_SERVER["REMOTE_ADDR"] ;
?>

Register Globals should be set to OFF for several reasons:
a) it seperates the users variables from the server variables, they are in a different scope.
b) Semi-Solves security problems, if you use POST on your form, then with register globals OFF, a user cannot spoof the form using something like phpPage.php?name=a&email=b

From PHP 4.2.0 register globals was set to OFF by default, unless your hosts are a bunch of numpties, it should still be OFF. To change it, you'll either need to edit php.ini (which may be difficult if you don't have admin access to the server) or using a .htaccess file (if using an apache webserver) containing the following line:

php_flag register_globals 0

I think that answers your question.

 

[Maljonic]

I still seems a bit complicated, but it's a bit clearer thanks. One of my hosts has it set to on for some reason, I'm sure I mentioned it ages ago but can't remember what they said as a reason. I only noticed it because postnuke states it as a kind of warning when you go into the admin area, I think my hosts said it didn't matter when I told them.

I altered the .htaccess file like you said and the warning is gone anyway.

So can people exploit this in some way? Someone had being using some kind of dodgy method to artificially vote many times a day on a poll, I had to change it so only registered users can vote to stop them - would this be one of the possible exploits or is that something totally different?

 

[wyrd_fish]

that could well be a symptom of reg globals being on

if the cookie check is performed on the form page, and not the action page


alot of these problems can be avaoided by writeing defencivly and not trusting you data

 

[Maljonic]

Anyway I asked this particular host, http://www.34sp.com, why they have registered globals set to on and they replied:

Unfrotunately, by turning it off at a server level, a great number of scripts would break, due to the way in which they are coded.
As you have discovered, it is possible to override this at a domain level using the .htaccess file.

As long as the .htaccess method works I don't suppose it matters.

 

[wyrd_fish]

i'm with 34sp, and i find them excelent

can't fault them, if you need somthing changing etc. they'll do it

 

[Maljonic]

I agree, I have three sites with them and they've always been quick to reply and sort any problems out.