Help me Please regarding php security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mygloballine
Forum Newbie
Posts: 1
Joined: Thu Apr 27, 2006 10:44 am

Help me Please regarding php security

Post by mygloballine »

Dear All,

My admin says that

allow_call_time_pass_reference
display_errors
register_globals
register_argc_argv
session.bug_compat_warn

all these are security issues and he cannot turn all these variables on and my designer says that if he cannot turn on he cannot help me with installing the websites. so what u guys suggest me.. please help me in this issue.

Are these variables if turned ON are really a security threat??? please suggest me something.


Thanks in Advance
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:2. Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Help me Please regarding php security

Post by RobertGonzalez »

mygloballine wrote:My admin says that

allow_call_time_pass_reference
display_errors
register_globals
register_argc_argv
session.bug_compat_warn

Are these variables if turned ON are really a security threat???
Just these two by themselves are major security risks:
display_errors
register_globals

display_errors should only be used for local debugging and testing. Even the PHP website says that. That is because display_errors shows a lot of information about your server and system when errors occur. Leave this off.

register_globals should never be turned for any reason. It opens your server up to all sorts of malicious intent from less than honest folks.

If your developer is worth their salt, they should already know this and be developing with these issues in mind. If you are being told that they can't help you becuase of this it might be time to find a new designer.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

If you have an old application that you cannot change then get a new host, otherwise get a new designer.
(#10850)
Post Reply