Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 4 of 4
  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    2
    Member #
    14588
    I have a few sites on my web server. From what I understand, having register_globals turned on is a big security risk.

    I have a site that is coded to use register_globals, and we currently don't have the time to re-write the entire things so it works with register_globals off. This site is secure, you need to log in using SSL to access it. The other site is not secure, and does not need register_globals to be turn on, but has several applications are vulnerable because it is turned on. We have had people drop email bombs on our server due to this being on.

    My question is, is there a way to have register_globals on for one site, and off for another?
    Thanks
    -Paul

  2.  

  3. #2
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    You should be able to use a .htaccess file to achieve this. I'm not 100% sure how it's achieved, but I know php.ini settings can be overridden in a .htaccess, and that should therefore be usable to fix your problem.

  4. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    2
    Member #
    14588
    I haven't done much with .htaccess files, but I have seen if you put:
    php_flag register_globals off
    in a .htaccess file it should turn it off.


    Is there a way for me to test that? If I put the .htaccess in the root of the website directory, will it cover the entire directory recursively? Or do I have to put that file into every directory within the root of the website?

  5. #4
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    I think it's php_ini_set or something. It may vary on both the Apache and PHP versions you have. .htaccess files apply recursively to all subdirectories except for subdirectories with their own .htaccess file that overrides parameters you set higher in the hierarchy.

    As a preference, I like to define everything Apache-related in configuration files (vhost.conf, for example). It's more secure and offers better performance, but you need root access and you have to restart Apache (a trivial matter) for each change you make.

    register_globals is not in itself dangerous, but programmers who assume variables are not set make it dangerous. Using $_REQUEST['something'] is just as dangerous as $something if you assume that the variable isn't defined.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 09:21 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com