Page 1 of 1
Advice on PHP settings for all you technomaniacs
Posted: Wed Aug 02, 2006 7:19 am
by mohson
What type of settings on your version of PHP would affect something like passowrd controls?
Imagine the scenario, you want to code your system to allow sessions so users can log in and log out, users have different types, i.e admin, guest and restrictions on the activities they do.
When you try and code this people say "oh by the way make sure you have etc etc switched on and etc etc switched off"
My question is what are these "etcs' what settinggs would people be referring to?
Also do you think that in certain environments these settings would have a legitimate reason to be switched off and unavailable say if you were using a server not controlled by you.
Any information would be welcome. Im gathering this data from a range of sources so your technical input would be invaluble.
Thanks
Posted: Wed Aug 02, 2006 8:39 am
by feyd
I'm having trouble understanding what settings you could be referring to, and more importantly, why they would need to be on or off. You can script to handle either contingency (in the same script) most often.
Posted: Wed Aug 02, 2006 8:52 am
by RobertGonzalez
I think he is talking about the PHP setting in the ini file. I think.
If that is the case, some of the ones more commonly mentioned around here are:
Code: Select all
register_globals = Off
display_errors = Off
short_tags = Off
asp_style_tags = Off
I know there are more that we talk about, but these are the ones, off the top of my head, that get the most airtime.
Posted: Wed Aug 02, 2006 8:59 am
by mohson
Yep Everah thats exactly what im talking about, now to the second part of my question would certain organisations turn things like the ones you mentioned off for security or other reasons?
And if they did would it be possible to work around this, i.e. as feyed has mentioned?
Posted: Wed Aug 02, 2006 9:04 am
by RobertGonzalez
mohson wrote:Yep Everah thats exactly what im talking about, now to the second part of my question would certain organisations turn things like the ones you mentioned off for security or other reasons?
And if they did would it be possible to work around this, i.e. as feyed has mentioned?
Yes, many organization would turn these settings to off if they are not defaulted to off. Mostly becaase of Security. Some of these can be overridden by using
ini_set(), but in most cases, you want these settings off.
Posted: Wed Aug 02, 2006 9:07 am
by feyd
register_globals is easy to deal with: write your script such that it doesn't require them to be on by using the superglobals -- $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION, $_SERVER, etc..
display_errors: this can often be controlled from an .htaccess file, or by using
set_error_handler() to create your own handlers for errors.
short_tags: always always use "<?php" instead of "<?". Same goes for "<?php echo" as opposed to "<?=".
asp_style_tags: same as short tags, as far as anyone should be concerned.
Posted: Wed Aug 02, 2006 9:08 am
by mohson
So therefore I could argue that I cannot create an administration section using sessions because this would require settings in the ini file to be altered and as a result this could breach the organisations security.
This doesnt prevent the system from having security as the organisation has its own password control which can password protect directories.
Still is mine a valid argument?
Posted: Wed Aug 02, 2006 9:17 am
by Jenk
Also, to avoid register_globals exploitation, always define your variables.
Code: Select all
<?php
if ($user->isLoggedIn()) {
$loggedin = true;
}
if (isset($loggedin)) {
$view->display('membersarea');
}
?>
is open to exploitation via register_globals, if the user enters:
http://www.example.com/page.php?loggedin=foo
Posted: Wed Aug 02, 2006 9:21 am
by RobertGonzalez
mohson wrote:So therefore I could argue that I cannot create an administration section using sessions because this would require settings in the ini file to be altered and as a result this could breach the organisations security.
This doesnt prevent the system from having security as the organisation has its own password control which can password protect directories.
Still is mine a valid argument?
No you could not argue that. There are session settings in the php.ini file, but there is nothing preventing you from using native PHP sessions to create an administration section. There is also nothing preventing you from creating a databases managed session application to handle administration.
The settings we have discussed in this thread would not prevent you from using sessions at all.
Posted: Wed Aug 02, 2006 9:23 am
by mohson
Thank you all for your advice I shall add this to my report.
Appreciated.
Posted: Wed Aug 02, 2006 9:25 am
by GM
mohson wrote:So therefore I could argue that I cannot create an administration section using sessions because this would require settings in the ini file to be altered and as a result this could breach the organisations security.
This doesnt prevent the system from having security as the organisation has its own password control which can password protect directories.
Still is mine a valid argument?
No. You can create an Administration section with all of those settings switched off, using sessions or otherwise.
You don't even need to put Admin only php scripts into a separate directory, as with a decent control at the beginning of the script you can grant/deny access based on your own criteria.
just to add to Jenk's example above, the correct way to do this is:
Code: Select all
<?php
$loggedin = false;
// this way, no matter what the user does with the URL, $loggedin is always reset to false
if ($user->isLoggedIn()) {
$loggedin = true;
}
if ($loggedin) {
$view->display('membersarea');
}
?>