SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    FBI secret agent digitman's Avatar
    Join Date
    Sep 2004
    Location
    Work
    Posts
    697
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    register globals and gpc_magic_quotes on?

    My client has register gloabls and gpc_magic_quotes(sorry I cant spell) set to on in his php.ini for the sake of compatibility with old scripts.Please tell me:

    -Why do most people prefer having gpc_magic_quotes set to off?I mean,If I do stripslashes on all of the form variables before I use them anywhere,then it wouldnt matter if gpc_magic_quotes is on or not,would it?

    -If register globals is set to on but I stilll use only $_GET and $_POST to access form variables,then would there still be any security concerns for the new scripts that I write?and how can I overcome them without setting register_globals to off?

  2. #2
    SitePoint Member
    Join Date
    Sep 2004
    Location
    Oslo, Norway
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't feel qualified to give a good answer to the whole magic_quotes issue, but I can offer an opinion on register_globals:

    With register_globals on, any value delivered through either the get or post method will be automatically assigned to variables in your script. The source of get and post data is often a form, but not always. Post can be faked, as can get, with the latter being faked most easily. If someone appends the following to the action URL of your form...

    ?showitall=yes&stopfiddling=no

    ...two variables called $showitall and $stopfiddling will be set as the script begins execution. If you're using variables with these names somewhere in your script without unsetting them before doing anything with them, malicious users may effectively insert values into your script execution. This may crash your script, insert the wrong values into your database or give someone unathorized access, among other things.

    I don't know if all that made any sense, but to put it simply: through faking the post or get data, someone might modify the content of any of your variables if register_globals are on.

    Twinkletoes


    Quote Originally Posted by digitman
    My client has register gloabls and gpc_magic_quotes(sorry I cant spell) set to on in his php.ini for the sake of compatibility with old scripts.Please tell me:

    -Why do most people prefer having gpc_magic_quotes set to off?I mean,If I do stripslashes on all of the form variables before I use them anywhere,then it wouldnt matter if gpc_magic_quotes is on or not,would it?

    -If register globals is set to on but I stilll use only $_GET and $_POST to access form variables,then would there still be any security concerns for the new scripts that I write?and how can I overcome them without setting register_globals to off?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •