Can I always change the status of RG by ini_set?
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Can I always change the status of RG by ini_set?
Hi,
My script requires RG, Register Globals, to be turned off. I wonder that can Isimply put ini_set("register_globals",off); in my config file?
I know that function works fine, but I am actually asking "Is there any chance that some servers block PHP from changing the state of RG?".
Thank you.
My script requires RG, Register Globals, to be turned off. I wonder that can Isimply put ini_set("register_globals",off); in my config file?
I know that function works fine, but I am actually asking "Is there any chance that some servers block PHP from changing the state of RG?".
Thank you.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Take a look at http://de3.php.net/manual/en/ini.php , register_globals is marked as PHP_INI_PERDIR which excludes ini_set
The http parameters are parsed before your script is running therefore ini_set comes too late for changing the register_globals behaviour of php.
The http parameters are parsed before your script is running therefore ini_set comes too late for changing the register_globals behaviour of php.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
As long as you initialized every single variable before reading it, you're often fine from register_globals type attack attempts. Avoid the basic extract() too.
ini_set() is not able to affect the register_globals setting. The processing for it happens before the script is executed. Directory level controls can alter it however.
ini_set() is not able to affect the register_globals setting. The processing for it happens before the script is executed. Directory level controls can alter it however.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Aye, sir.
What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.
EDIT: I code with E_ALL and I will always make sure there are no "undefined variables" type of errors or any other. So does this mean I have initialized my variables well and not vulnerable to RG through GET ?
What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.
EDIT: I code with E_ALL and I will always make sure there are no "undefined variables" type of errors or any other. So does this mean I have initialized my variables well and not vulnerable to RG through GET ?
Every form can be spoofed. Any data could be passed to your script....with or without RG. So don't be afraid what might be in $_REQUEST.kaisellgren wrote:...
What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.
...
As long as you stick to E_ALL stuff and validate all input variables that makes sense for the script you are all set.