Re: PHP and "Register_Globals"

hello group,

thanks for all your extensive feedback! there are some quite 'nice' solutions to work around this problem.

I am aware of the security issuses, but my problems are:

• the application started being developed *before* the register_globals discussion was started
• the application is *huge*
• no one will pay me for re-writing tons of code :o(

fortunately I did the login-things in the end of the project, so that I used all the new features for the login-procedure and also for the 'good_login'-problem.

without logging in you can't do anything in this app. that's the good thing. and the logged in ones are 'only' staff members of the company I wrote this for. so *possibly* no real cracker, but a secretary *g*.

do you still think that I should re-write?

the issue is not that I am 'lazy' but that no one will understand the problem and pay for a fix up. and I have to feed my dog ;-) BUT: of course I don't have a very good feeling about all this if it's kept as it is.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

thanks again for your ideas and
best regards,

Ulrich

Jim McGarvey schrieb:

>>>my question is now: my app is 'safe', but what do I do if my future
>>>webhost has register_globals to 'off'?

>>>I soon realized the security issues, and wrote my own
>>>validation-functions, ... to handle all the XSS and SQL-injection
>>>problems.

>>just ask your provider to add the following in your VirtualHost:
>>
>>php_value register_globals on
>>
>>and this will be enable for your site, and your site only...
>>
>>alternatively, you can use a function that does just that (imports
>>everything automatically). see:
>>
http://www.php.net/import-request-variables
>>
>>good luck.
>>
>>On Sat, 29 Mar 2003, Ulrich P. wrote:
>>
>>
>>>hello,
>>>
>>>newer php-versions have set "register_globals" to "off" by default. i
>>>programmed a huge php-project during the last year and didn't start
>>>using the global POST and GET-arrays, so if a form contains >>type=text name=age> if use $age in my scripts.
>>>
>>>I soon realized the security issues, and wrote my own
>>>validation-functions, ... to handle all the XSS and SQL-injection

>>>my question is now: my app is 'safe', but what do I do if my future
>>>webhost has register_globals to 'off'?
>>>
>>>would it be possible to write a script that registers the whole
>>>POST-array as single variables? simply as it used to be in 'older'
>>>PHP-versions?
>>>
>>>any ideas welcome :)
>>>
>>>
>>>regards,
>>>
>>>Ulrich
>>>
>>
>>--
>>
>>  Best regards,
>>     Shimi
>>
>>
>>----
>>
>>   "Outlook is a massive flaming horrid blatant security violation, which
>>    also happens to be a mail reader."
>>
>>   "Sure UNIX is user friendly; it's just picky about who its friends

>>
>>