Page 1 of 1

Help me Please regarding php security

Posted: Thu Apr 27, 2006 10:52 am
by mygloballine
Dear All,

My admin says that

allow_call_time_pass_reference
display_errors
register_globals
register_argc_argv
session.bug_compat_warn

all these are security issues and he cannot turn all these variables on and my designer says that if he cannot turn on he cannot help me with installing the websites. so what u guys suggest me.. please help me in this issue.

Are these variables if turned ON are really a security threat??? please suggest me something.


Thanks in Advance
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:2. Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.

Re: Help me Please regarding php security

Posted: Thu Apr 27, 2006 11:14 am
by RobertGonzalez
mygloballine wrote:My admin says that

allow_call_time_pass_reference
display_errors
register_globals
register_argc_argv
session.bug_compat_warn

Are these variables if turned ON are really a security threat???
Just these two by themselves are major security risks:
display_errors
register_globals

display_errors should only be used for local debugging and testing. Even the PHP website says that. That is because display_errors shows a lot of information about your server and system when errors occur. Leave this off.

register_globals should never be turned for any reason. It opens your server up to all sorts of malicious intent from less than honest folks.

If your developer is worth their salt, they should already know this and be developing with these issues in mind. If you are being told that they can't help you becuase of this it might be time to find a new designer.

Posted: Thu Apr 27, 2006 11:33 am
by Christopher
If you have an old application that you cannot change then get a new host, otherwise get a new designer.