Page 1 of 1
Can I always change the status of RG by ini_set?
Posted: Wed Jan 24, 2007 10:40 am
by kaisellgren
Hi,
My script requires RG, Register Globals, to be turned off. I wonder that can Isimply put ini_set("register_globals",off); in my config file?
I know that function works fine, but I am actually asking "Is there any chance that some servers block PHP from changing the state of RG?".
Thank you.
Posted: Wed Jan 24, 2007 10:42 am
by feyd
Why does it "require" that register globals be off?
Written such that it doesn't use register_globals registered variables (or overwrites them), it shouldn't matter if it was on or not.
Posted: Wed Jan 24, 2007 10:45 am
by kaisellgren
So basically if I initialize all variables like $admin = false; I will have no security problems?
And can you answer to my question if you know the answer...
Thank you for your time.
Posted: Wed Jan 24, 2007 10:48 am
by volka
Take a look at
http://de3.php.net/manual/en/ini.php , register_globals is marked as PHP_INI_PERDIR which excludes ini_set
The http parameters are parsed before your script is running therefore ini_set comes too late for changing the register_globals behaviour of php.
Posted: Wed Jan 24, 2007 10:48 am
by feyd
As long as you initialized every single variable before reading it, you're often fine from register_globals type attack attempts. Avoid the basic
extract() too.
ini_set() is not able to affect the register_globals setting. The processing for it happens before the script is executed. Directory level controls can alter it however.
Posted: Wed Jan 24, 2007 10:55 am
by aaronhall
If your error setting is at E_ALL, PHP will warn you if you make reference to a variable that isn't initialized.
Posted: Wed Jan 24, 2007 10:56 am
by kaisellgren
Aye, sir.
What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.
EDIT: I code with E_ALL and I will always make sure there are no "undefined variables" type of errors or any other. So does this mean I have initialized my variables well and not vulnerable to RG through GET ?
Posted: Wed Jan 24, 2007 11:02 am
by aaronhall
As long as you are not referencing variables before they are initialized in the script, you're safe from register_globals vulnerabilities.
Posted: Thu Jan 25, 2007 12:08 pm
by jmut
kaisellgren wrote:...
What do you think if I include a script that checks if there is "admin" in $_GET or any other important vars.
...
Every form can be spoofed. Any data could be passed to your script....with or without RG. So don't be afraid what might be in $_REQUEST.
As long as you stick to E_ALL stuff and validate all input variables that makes sense for the script you are all set.