SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist artcoder's Avatar
    Join Date
    Aug 2005
    Location
    Planet Earth
    Posts
    599
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How serious is register_globals on?

    I know that best practices dictates that php.ini have register_globals off. But how serious of a security risk (if at all) is it to have register_globals on? I would like examples of how having it on might pose security risks. So that I can judge how serious this is.

    If I was writing an app, I would have it off. But the problem is that some applications (let's just say, oh, osCommerce) needs it on. So that question is should I turn it on. Or should I patch osCommerce so that it works with register_globals off?

    Does ZenCart (and what was that other spin-off?) require register_globals on? If not, should I use that instead?

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the setting itself is harmless. code can written to be just as secure if register_globals is turned on as it is without it. you dont need to use the functionality the setting offers(eg, you can still use the superglobals)

    where the problems arise is from coders who do not fully understand the possibilities with it. bad code has the potential to become even worse with register_globals on. it can encourage/support poor coding practices. theres a lot of bad code out there.

    whether an application requires_register globals or not shouldnt be the deciding factor for you. the quality of the code is more important; bad code is bad code. im not able to offer any advice on the quality of either software you listed though.

  3. #3
    SitePoint Zealot
    Join Date
    Oct 2002
    Posts
    130
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I always get scared editing the globals

  4. #4
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by the311guy View Post
    I always get scared editing the globals
    how exactly, do you "edit" a global?

  5. #5
    SitePoint Evangelist artcoder's Avatar
    Join Date
    Aug 2005
    Location
    Planet Earth
    Posts
    599
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I did some extra searching, and I am now pretty much convinced that one should not turn register_globals on. I'll be leaving the flag off (even on websites and servers that are not mine) and will work around it (ie with patch, etc).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •