Can I always change the status of RG by ini_set?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Can I always change the status of RG by ini_set?

Post by kaisellgren »

Hi,

My script requires RG, Register Globals, to be turned off. I wonder that can Isimply put ini_set("register_globals",off); in my config file?

I know that function works fine, but I am actually asking "Is there any chance that some servers block PHP from changing the state of RG?".

Thank you.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Why does it "require" that register globals be off?

Written such that it doesn't use register_globals registered variables (or overwrites them), it shouldn't matter if it was on or not.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

So basically if I initialize all variables like $admin = false; I will have no security problems?

And can you answer to my question if you know the answer...

Thank you for your time.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Take a look at http://de3.php.net/manual/en/ini.php , register_globals is marked as PHP_INI_PERDIR which excludes ini_set
The http parameters are parsed before your script is running therefore ini_set comes too late for changing the register_globals behaviour of php.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

As long as you initialized every single variable before reading it, you're often fine from register_globals type attack attempts. Avoid the basic extract() too.

ini_set() is not able to affect the register_globals setting. The processing for it happens before the script is executed. Directory level controls can alter it however.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

If your error setting is at E_ALL, PHP will warn you if you make reference to a variable that isn't initialized.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Aye, sir.

What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.

EDIT: I code with E_ALL and I will always make sure there are no "undefined variables" type of errors or any other. So does this mean I have initialized my variables well and not vulnerable to RG through GET ?
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

As long as you are not referencing variables before they are initialized in the script, you're safe from register_globals vulnerabilities.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

kaisellgren wrote:...
What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.
...
Every form can be spoofed. Any data could be passed to your script....with or without RG. So don't be afraid what might be in $_REQUEST.
As long as you stick to E_ALL stuff and validate all input variables that makes sense for the script you are all set.
Post Reply