register_globals

[RickWeb]

One of my mates wants me to turn register_globals settings on, but last time i did this it cause all sorts of problems, i was just looking for some other views on the matter.

[Gwaihir]

Eh.. why would he want that?

[homoludens]

Off! Off! Off!

Etc.

[Vin DSL]

Tell your mate to rewrite his ^%$& code...

Dude, this is like soooo 2006!

Hackers will eat your mate alive, assuming they know he's alive...

[RickWeb]

Tell your mate to rewrite his ^%$& code...

Dude, this is like soooo 2006!

Hackers will eat your mate alive, assuming they know he's alive...

I know i told him, but i need some sort of technicial jarggon to get him with.

Any ideas Vin?

[Vin DSL]

Point him to this...

http://us2.php.net/register_globals

[Gwaihir]

And tell him he should follow up on the note on superglobals at the bottom if he wants to know how easy it is to do without register_globals.

[homoludens]

Dude, this is like soooo 2006!

Not quite.

One of my mates wants me to turn register_globals settings on, but last time i did this it cause all sorts of problems.

You can emulate register_globals anyway. Just don't.

[RickWeb]

This is the response i get

Hey Rick,


It isn't really an issue of my coding to be honest, it's an open source package and I don't really fancy trying to write an e-commerce program in PHP. Having register_globals turned off makes almost everything in Fantastico useless and I think trying to tweak the whole OS Commerce package to accommodate a server without register_globals wouldn't even be worth trying.


Is there no other way around this? What sort of security risks would be posed by having this feature turned on? Would this put just the domain at risk, or the entire server?


Regards,
Adam

[homoludens]

There are community fixes for running osCommerce with register_globals off. I wouldn't want to comment on whether they are secure or not.

[the_ancient]

There are community fixes for running osCommerce with register_globals off. I wouldn't want to comment on whether they are secure or not.

as of 2.2RC1 it should not be a issuse

http://forums.oscommerce.com/index.php?showtopic=268335

[Gwaihir]

Having register_globals turned off makes almost everything in Fantastico useless

Yet we have Fantastico and it works without a hitch..

Sorry to say it, but he is really years behind the times.

and I think trying to tweak the whole OS Commerce package to accommodate a server without register_globals wouldn't even be worth trying.

Right; it might take.. wow.. a whole minute longer than typing that e-mail?

Surely, like any application, OS Commerce includes some form of utitily script in each and every page. All it would take is to add the emulation homoludens pointed out at the top of that script. This is obviously still not a great way to go, but at least limits the risks to the one outdated application that actually uses it.

Is there no other way around this? What sort of security risks would be posed by having this feature turned on? Would this put just the domain at risk, or the entire server?

That depends on whether you run PHP in CGI mode (with seperate users), or as a module (with one php user for the whole server / VPS). In the first case it would risk the account, in the latter case the whole server / VPS.

[RickWeb]

I will set he straight next time.

[Vin DSL]

Sorry to say it, but he is really years behind the times...

Thank you!!!

[jason]

You can enable register_globals in just the directories used by OS Commerce via an Apache directive (if using mod_php) or custom php.ini file(s) is using PHP-CGI.

Disable register_globals for the whole site/server, then in the OS Commerce directory just add this to the .htaccess file if using mod_php:

Code:

php_flag register_globals on

or, if using PHP-CGI, copy your main php.ini file to the directory where OS Commerce is installed and change the register_globals setting of the copy.

--Jason