Advice on PHP settings for all you technomaniacs

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mohson
Forum Contributor
Posts: 372
Joined: Thu Dec 02, 2004 6:58 am
Location: London

Advice on PHP settings for all you technomaniacs

Post by mohson »

What type of settings on your version of PHP would affect something like passowrd controls?

Imagine the scenario, you want to code your system to allow sessions so users can log in and log out, users have different types, i.e admin, guest and restrictions on the activities they do.

When you try and code this people say "oh by the way make sure you have etc etc switched on and etc etc switched off"

My question is what are these "etcs' what settinggs would people be referring to?

Also do you think that in certain environments these settings would have a legitimate reason to be switched off and unavailable say if you were using a server not controlled by you.

Any information would be welcome. Im gathering this data from a range of sources so your technical input would be invaluble.

Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'm having trouble understanding what settings you could be referring to, and more importantly, why they would need to be on or off. You can script to handle either contingency (in the same script) most often.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think he is talking about the PHP setting in the ini file. I think.

If that is the case, some of the ones more commonly mentioned around here are:

Code: Select all

register_globals = Off
display_errors = Off
short_tags = Off
asp_style_tags = Off
I know there are more that we talk about, but these are the ones, off the top of my head, that get the most airtime.
mohson
Forum Contributor
Posts: 372
Joined: Thu Dec 02, 2004 6:58 am
Location: London

Post by mohson »

Yep Everah thats exactly what im talking about, now to the second part of my question would certain organisations turn things like the ones you mentioned off for security or other reasons?

And if they did would it be possible to work around this, i.e. as feyed has mentioned?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

mohson wrote:Yep Everah thats exactly what im talking about, now to the second part of my question would certain organisations turn things like the ones you mentioned off for security or other reasons?

And if they did would it be possible to work around this, i.e. as feyed has mentioned?
Yes, many organization would turn these settings to off if they are not defaulted to off. Mostly becaase of Security. Some of these can be overridden by using ini_set(), but in most cases, you want these settings off.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

register_globals is easy to deal with: write your script such that it doesn't require them to be on by using the superglobals -- $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION, $_SERVER, etc..

display_errors: this can often be controlled from an .htaccess file, or by using set_error_handler() to create your own handlers for errors.

short_tags: always always use "<?php" instead of "<?". Same goes for "<?php echo" as opposed to "<?=".

asp_style_tags: same as short tags, as far as anyone should be concerned.
mohson
Forum Contributor
Posts: 372
Joined: Thu Dec 02, 2004 6:58 am
Location: London

Post by mohson »

So therefore I could argue that I cannot create an administration section using sessions because this would require settings in the ini file to be altered and as a result this could breach the organisations security.

This doesnt prevent the system from having security as the organisation has its own password control which can password protect directories.

Still is mine a valid argument?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Also, to avoid register_globals exploitation, always define your variables.

Code: Select all

<?php

if ($user->isLoggedIn()) {
    $loggedin = true;
}

if (isset($loggedin)) {
    $view->display('membersarea');
}

?>
is open to exploitation via register_globals, if the user enters: http://www.example.com/page.php?loggedin=foo
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

mohson wrote:So therefore I could argue that I cannot create an administration section using sessions because this would require settings in the ini file to be altered and as a result this could breach the organisations security.

This doesnt prevent the system from having security as the organisation has its own password control which can password protect directories.

Still is mine a valid argument?
No you could not argue that. There are session settings in the php.ini file, but there is nothing preventing you from using native PHP sessions to create an administration section. There is also nothing preventing you from creating a databases managed session application to handle administration.

The settings we have discussed in this thread would not prevent you from using sessions at all.
mohson
Forum Contributor
Posts: 372
Joined: Thu Dec 02, 2004 6:58 am
Location: London

Post by mohson »

Thank you all for your advice I shall add this to my report.

Appreciated.
GM
Forum Contributor
Posts: 365
Joined: Wed Apr 26, 2006 4:19 am
Location: Italy

Post by GM »

mohson wrote:So therefore I could argue that I cannot create an administration section using sessions because this would require settings in the ini file to be altered and as a result this could breach the organisations security.

This doesnt prevent the system from having security as the organisation has its own password control which can password protect directories.

Still is mine a valid argument?
No. You can create an Administration section with all of those settings switched off, using sessions or otherwise.

You don't even need to put Admin only php scripts into a separate directory, as with a decent control at the beginning of the script you can grant/deny access based on your own criteria.

just to add to Jenk's example above, the correct way to do this is:

Code: Select all

<?php 

$loggedin = false; 
// this way, no matter what the user does with the URL, $loggedin is always reset to false

if ($user->isLoggedIn()) { 
    $loggedin = true; 
} 

if ($loggedin) { 
    $view->display('membersarea'); 
} 

?>
Post Reply