This is a bit of a problem, because some variables need to be set in index.php, before the engine can get to them, like $errorReporting and some of the system paths. I'm not sure how to work around these--of course not all of these would be a problem even if a hacker did try and set these. Perhaps it is enough to target specific variables that might be problematic. Like the BOLTprocess array, and the like. I'll try and do a quick survey today and see if
But I wonder, is it possible to reset the default ini value in BoltWire? That seems like a smarter approach... (From my googling that approach may yield errors on some servers). Speaking of which, what if we just gave a warning that they need to upgrade their server settings. What do you think of that? Cheers, Dan On Tue, Oct 13, 2009 at 4:22 AM, Hans <[email protected]> wrote: > > Re: register_globals: > register_globals can be set in the PHP ini file. Since PHP 4.2.0 the > default is OFF, before that default was ON. If register_globals is ON > all variables supplied by requests like url requests, form submissions > or cookies are automatically registered as global variables, > regardless if the script is initialising them. That opens doors for > misuse if the script fails to initialise variables. > > So with register_globals ON if for instance a url contains a string > like &name=bob, then a var $name is automatically set with value > 'bob'. It is global throughout the script, but in functions all > globals except 'Superglobals' like $_POST, $_GET, etc need to be > registered before use. So this injected variable $name would not be > available in a function unless the function contains a 'global $name;' > statement. > > register_globals ON allowed lazy programming, since variables were > just available, instead of having to set them like > $name = (isset($_GET['name'])) ? $_GET['name'] : 'defaultname' ; > > Note that in the example $name is set regardless of it being supplied > by the url. > So to safegueard against misuse of register_globals ON all variables > should be initialised, and not just set in special condition. > Basically give each var a default value, before using it, or setting > it in a conditional. Initialising vars in functions may not be as > critical, but it is good programming practise. > > Se also http://en.wikibooks.org/wiki/PHP_Programming/Register_Globals > > ~Hans > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
