Page 1 of 1

how big is this issue?

Posted: Thu Oct 19, 2006 11:52 am
by rami
i have found a web application which must probably is written in php 3 ...its seems that the whole application was written using register global on...
its doesnt use things like .....$_POST,$_GET......a variables of one page is available in another page directly when page is called..
i am using php 4 in local computer . under default config...where i think global registers are off...
so i can see all the warning..notice all over ..some pages works but application doesnt work completely..i made many part of application using GET and POST ..where required...but there too many..(the script is not syntaxically no where wrong but it has not used any get,post...and may be was written with global reg on)

i uploaded the original files to my server..internet server..(with out edit) it worked perfectly fine with out any notices..and errors...
(i think global reg are on)

so should i continue with the script...or should i abandon it...(should i turn my local setting global reg on)..and just continue it..
will be there any security problem using such pre script....i have no second option as i didn found any other free script for it...
well i think its is supressing those notices...online..is it good practice to do so...
please any suggestion...
example of programming..

Code: Select all

<?php //begin of page
s
   if ($random == 1) {

     $jokeid = get_random_joke(1);

   } else {

      $jokeid = $id;

   }//directlty $random is used with any  pre declare so is $id so it gives notice...
actually think that roughly should be 
   $jokeid = ( isset($_GET['id']) ) ? $_GET['id'] : $_POST['id'] ; //this script is so..

second example
   <?php

                           if ($listtype == "") {
                              $listtype = 1;
                           }
					
                           if ($catid != "") {
                              $listtype = 4;
                           }
/*$listtype directly used ...actually that list type is being passed from another page in GET  array...but it is directly accessible...so is that catid*/
//even all the POST of form are used so..


loggedin = true;
         session_register("loggedin");..old style session..
so what should i do

Posted: Thu Oct 19, 2006 12:12 pm
by feyd
If you want to use the script, fix it up so it doesn't rely on register_globals or old session setting ways and so forth. It's not entirely lost, just needs updating.

Posted: Thu Oct 19, 2006 12:14 pm
by Christopher
How many lines is the script and how it is being used? If it is small you may want to upgrade it. If it is large you may want to suffer register globals. I would recommend turning off register globals and then turning it on only for the scripts that require it.

Posted: Thu Oct 19, 2006 9:00 pm
by rami
arborint wrote:How many lines is the script and how it is being used? If it is small you may want to upgrade it. If it is large you may want to suffer register globals. I would recommend turning off register globals and then turning it on only for the scripts that require it.
the whole post and get part is taken with reg on
as i can see nowhere in script as
_POST['var'] or _GET['VAR' though form are used so are passing varibales from one page to others...
so i must do it...
what to do...
as my server has put it on i guess reg globl are any how gong to be on...

Posted: Thu Oct 19, 2006 11:53 pm
by RobertGonzalez
Do not use a script that relies on register globals. Not at all. Make the script work as though RG were off.

Posted: Fri Oct 20, 2006 7:41 pm
by rami
Everah wrote:Do not use a script that relies on register globals. Not at all. Make the script work as though RG were off.
ya i have made it worked with out reg global being on...i have tested it locally weith that setting using get,post and session where required...
so should i use that script now..or i should still fall in problem later...

Posted: Sat Oct 21, 2006 3:28 am
by d3ad1ysp0rk
I'm having trouble trying to understand what you say, but if you're saying it works w/o register globals on.. go ahead and use it.