Converting a site utilizing REGISTER GLOBALS need help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jo1234la
Forum Newbie
Posts: 11
Joined: Wed Feb 03, 2010 11:53 am

Converting a site utilizing REGISTER GLOBALS need help

Post by jo1234la »

Hello, first off I love this site there is so much knowledge here it's crazy. When I am more skilled at PHP I would love to give back.

On to my topic. I have a site I inherited management for. It is built in PHP and uses an older version PHP 3.xxx. When they built this site they used REGISTER GLOBAL and now my host (!@hoo.com) has stopped supporting that. Which is a problem for my client. I have been tasked with fixing this and frankly it is only one directory affected by this and I simply do not have a clue where to start.

The site seems to work fine accept for this one item. The original builder used a database (mySQL) driven login system for users but for the ADMIN portion of the site he seems to have used .htdoc/.htpsswd/ something because the login prompt I get when I access this particular section of the site is in a popup box and I can't seem to locate where the login and passwords are being stored. So since they do not exist in the database then I am assuming they are scripted in an .htpsswd file somewhere.

Overall I need help in changing the ADMIN sections reliability on REGISTER GLOBAL and fix the site.

***Note *** The problems started happening the day Yahoo turned off register globals. Also i can log into the ADMIN section but when I click update on anything it will not commit the changes to the data.

Please help!!
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Converting a site utilizing REGISTER GLOBALS need help

Post by AbraCadaver »

We'll need more information in order to quote you a price.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
jo1234la
Forum Newbie
Posts: 11
Joined: Wed Feb 03, 2010 11:53 am

Re: Converting a site utilizing REGISTER GLOBALS need help

Post by jo1234la »

I know I am asking a lot but may be just a pointer in the right direction. Or you are serious about that quote let's talk. I am too tied up to do this on my own right now, especially under this time crunch.

Thanks
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Converting a site utilizing REGISTER GLOBALS need help

Post by AbraCadaver »

jo1234la wrote:I know I am asking a lot but may be just a pointer in the right direction. Or you are serious about that quote let's talk. I am too tied up to do this on my own right now, especially under this time crunch.

Thanks
The easy fix would be to add this to the top of each page or a common page that is included in the other pages. This has security implications the same as with register_globals enabled:

Code: Select all

@import_request_variables('GPC');
The best and safest way would be to change all of your variables of type $variable that are coming from POST and GET to the $_POST['variable'] or $_GET['variable'] form.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
jo1234la
Forum Newbie
Posts: 11
Joined: Wed Feb 03, 2010 11:53 am

Re: Converting a site utilizing REGISTER GLOBALS need help

Post by jo1234la »

DUDE !!! As always ..... You so rock!!! Thanks again man......
thirdshiftguy
Forum Newbie
Posts: 1
Joined: Fri Aug 06, 2010 9:36 am

Re: Converting a site utilizing REGISTER GLOBALS need help

Post by thirdshiftguy »

I am fuzzy on this subject. If use of register_globals is not advised and now deprecated, how do I acquire the information it provides? Such as http_referrer and remote_addr. And what is the REAL risk of using it? I am one of those paranoid programmers, so I like monitoring what happens and who is doing it. I have done simple PHP scripting prior to now, but I am now working with a database. I would like to be as secure as possible without restricting myself. Any thoughts?

Thank you.
Post Reply