register_globals=on question

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Adams-Blake Co.
    #1

    register_globals=on question

    I know that having register_global s=ON is a security risk and we have it OFF.

    We want to use the GeekLog content manager and it only works with ON.

    Can someone give us some coding tips on how to mitigate any possible security
    problems if we turn it on? I know it has to do with a querystring that is
    same as a variable name being sent in the URL. How can we prevent that and
    still leave globals ON? Anyone have some simple magic?

    Thanks,

    Al

    Tags: None
    • Phil Roberts
      #2
      Re: register_global s=on question

      With total disregard for any kind of safety measures "Adams-Blake
      Co." <atakeoutcanton @adams.takeme.o ut.-blake.com> leapt forth and
      uttered:
      [color=blue]
      > I know that having register_global s=ON is a security risk and we
      > have it OFF.
      >
      > We want to use the GeekLog content manager and it only works
      > with ON.
      >
      > Can someone give us some coding tips on how to mitigate any
      > possible security problems if we turn it on? I know it has to do
      > with a querystring that is same as a variable name being sent in
      > the URL. How can we prevent that and still leave globals ON?
      > Anyone have some simple magic?
      >
      > Thanks,
      >
      > Al
      >
      >[/color]

      rm ./geeklog -r

      Thats the only sure way.

      What is geeklog anyway? Have you looked into something else like
      Plog? (http://plog.sourceforge.net)

      --
      There is no signature.....

        Comment

        • sam
          #3
          Re: register_global s=on question

          What php version are you using?

          If your php version is >= 4.1.0
          Then add:

          import_request_ variables('GPC' );

          in the header of the file.
          This will imports GET/POST/COOKIE in the global scope.

          If you want to import other variables like SERVER
          use the function extract().

          DO NOT touch your php.ini file!


          HTH




          "Adams-Blake Co." <atakeoutcanton @adams.takeme.o ut.-blake.com> wrote in
          message news:IDS7b.7577 $Yt.7399@newsre ad4.news.pas.ea rthlink.net...[color=blue]
          > I know that having register_global s=ON is a security risk and we have it[/color]
          OFF.[color=blue]
          >
          > We want to use the GeekLog content manager and it only works with ON.
          >
          > Can someone give us some coding tips on how to mitigate any possible[/color]
          security[color=blue]
          > problems if we turn it on? I know it has to do with a querystring that is
          > same as a variable name being sent in the URL. How can we prevent that and
          > still leave globals ON? Anyone have some simple magic?
          >
          > Thanks,
          >
          > Al
          >[/color]


            Comment

            • Matthias Esken
              #4
              Re: register_global s=on question

              "sam" <rbaba99@carama il.com> schrieb:
              [color=blue]
              > If your php version is >= 4.1.0
              > Then add:
              >
              > import_request_ variables('GPC' );
              >
              > in the header of the file.
              > This will imports GET/POST/COOKIE in the global scope.[/color]

              This is nearly the same as to use register_global s = on.

              Regards,
              Matthias

                Comment

                Previous template Next
                Working...