Re: [PHP] Register globals off, still not secure?
Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on. I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external. Thanks. -Patrick Richard Harb wrote: Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Yes. My understanding turning globals off stops using $PHP_AUTH_PW directly. Hi, Even with register globals off isn't it possible to have a webpage like this: html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? Thanks. -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Patrick Hutchinson wrote: Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on. I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external. Thanks. -Patrick Yikes, talk about throwing the baby out with the bathwater! You may want to look into the auto_prepend_file php.ini setting. If you really want to do it, you can set it up so that the auto-prepended file unsets those values from $_SERVER so that the scripts can't abuse them. auto_prepend_file = /var/www/killPasswords.php ?php unset($_SERVER['PHP_AUTH_PW']); ? Richard Harb wrote: Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals Off in .htacces
Hi, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. In your .htaccess: php_flag register_globals on or php_flag register_globals off Manual pages at http://www.php.net/manual/en/configuration.changes.php Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
Thx for your reply It is working. I also found from php.net that it's possible to set register_globals to off on a site-by-site basis via Apache, thus overriding the global setting of register_globals in php.ini: In httpd.conf: VirtualHost 127.0.0.1 ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) /VirtualHost That way, sites with old code can have register globals turned on, but for all new developments it will be disabled. Jon Haworth wrote: Hi, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. In your .htaccess: php_flag register_globals on or php_flag register_globals off Manual pages at http://www.php.net/manual/en/configuration.changes.php Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals Off in .htacces
Hi, Thx for your reply It is working. No probs, glad to help. I also found from php.net that it's possible to set register_globals to off on a site-by- site basis via Apache, thus overriding the global setting of register_globals in php.ini: VirtualHost 127.0.0.1 ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) /VirtualHost Yup, or even in directories: Directory /var/www/html/mysite/foo php_value register_globals 0 /Directory Which might be handy if you're updating scripts on a live site. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
On Fri, 25 Oct 2002 13:16:27 +0300 Tjoumaidis [EMAIL PROTECTED] wrote: Hi to Everyone, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. I prefer it Off in php.ini and On in the .htaccess file. php_flag register_globals On Yes, you can do it. Alister -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
it works only if i put it in my httpd.conf - yes allowoveride is set to all :/ i'm using apache 1.3.27 on win2k. Jon Haworth wrote: Hi, Thx for your reply It is working. No probs, glad to help. I also found from php.net that it's possible to set register_globals to off on a site-by- site basis via Apache, thus overriding the global setting of register_globals in php.ini: ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) Yup, or even in directories: php_value register_globals 0 Which might be handy if you're updating scripts on a live site. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals Off in .htacces
Hi Frank, ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) it works only if i put it in my httpd.conf - yes allowoveride is set to all :/ i'm using apache 1.3.27 on win2k. Well, you're doing *something* wrong, 'cos it works fine here :-) You have got an AccessFileName .htaccess directive, right? You might like to try asking in news:comp.infosystems.www.servers.ms-windows, or hanging around here until an Apache guru turns up... Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
well, i found my mistake ;) on windows i forgot to change the name of the .htaccess-files because on win they couldnt have a extentsion without a name. So i've named them now only htaccess without the dot and it works fine Frank W. wrote: it works only if i put it in my httpd.conf - yes allowoveride is set to all :/ i'm using apache 1.3.27 on win2k. Jon Haworth wrote: Hi, Thx for your reply It is working. No probs, glad to help. I also found from php.net that it's possible to set register_globals to off on a site-by- site basis via Apache, thus overriding the global setting of register_globals in php.ini: ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) Yup, or even in directories: php_value register_globals 0 Which might be handy if you're updating scripts on a live site. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off
AG I have to understand the new register globals off methods and it seems AG like a good idea to learn that from the beginning but all the books and AG beginners guides gives examples the old way. give it 3 more weeks and 2nd edition of PHP Fast Easy will be out...all register_global updated and everything. :) but that's 3 whole weeks. AG eg if a simple PHP file for handling form input takes in the data using AG $LastName can I simply use $_POST[LastName]?? pretty much. If POST is the method. Substitute $_GET if GET is the method. Handling session variables is a little different than just using session_register() Also, when uploading files, the $_FILE assoc array behaves a wee bit differently. And there's always the use of $_SERVER[PHP_SELF] instead of just $PHP_SELF. It's all in the manual, but if you just start with understanding the $_POST and $_GET superglobals in relation to your forms, you've made a good first step. - Julie -- Julie Meloni -- [EMAIL PROTECTED] -- www.thickbook.com Find Sams Teach Yourself MySQL in 24 Hours at http://www.amazon.com/exec/obidos/ASIN/0672323494/thickbookcom-20 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off
On Monday, July 1, 2002, at 11:30 AM, Adrian Greeman wrote: Would it be true to say that every time an example is given where data is passed on (for forms and so forth) that I can simply replace the variable in the example with $_POST or $_GET? Or do I have to do more? Pretty much. If the data was passed by a get-method form, or through the querystring, then the variable should be in the _GET array (such as $_GET['variablename']). Likewise for post-method forms, and any cookie variable names are now $_COOKIE['variablename']. Server variables like $PHP_SELF are now $_SERVER['PHP_SELF'], and you can read the rest under predefined variables in the manual at the web site. eg if a simple PHP file for handling form input takes in the data using $LastName can I simply use $_POST[LastName]?? It seems to work for a very simple example. But should I read the array into a variable first? Only if you want to -- you can always just refer to it as $_GET['variablename']. In fact this is probably better for memory use. And do I need to do any validation or declaring of variables etc?? [I did have a problem reading in a number - the solution was to put (int) before the POST array name though I don't understand why that was not needed with a string. All POSTed or GETed data is string data, so if you for some reason explicitly need to cast the variable as an integer, then yes, you need to use (int). But in many cases PHP does this automatically. I am also unclear what happens when you send something using header() - does that also go into an array - if so which one and how do I use it? I'm assuming you mean sending some querystring data, like header(Location: http://domain.com/page.php?data=contents;); if so, then yes, you will end up with the string 'contents' in a variable called $_GET['data'] . Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals = off
On Sunday 30 June 2002 23:12, PHPCoder wrote: Hi Going through some literature, it seems like the use of registered globals can cause security issues. Now, the dilemma, all my previous PHP installations ( for the last year or so ) have come with register globals = on in the php.ini file by default, and users on my system has happily coded their websites using this function. Now , with all the new versions of PHP, the registered globals are turned off in the ini and will basically cause all those previous sites not to function. Which means that I'm between a rock and a hard place, turn the register globals back on and carry on with the security risks, or keep it off and have all those people re-code their sites... Is there a more gentle solution out there? Am I just misunderstanding the issue? Any light on the matter will be appreciated. I don't there are any gentle approaches to this. People will have to bite the bullet sooner or later. What may help slightly is the fact that you can have different settings for register_globals for each virtual host. Thus the global setting for register_globals, ie php.ini, can be off. Then for each of your users who have not yet recoded, enable register_globals in their virtual host setting. Thus the people who have bothered to recode will be able to benefit from a more secure application without being affected by the people who have not yet recoded. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Depart in pieces, i.e., split. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals = off
You could leave the setting to ON in your php.ini, and impose OFF on a per-directory (account, domain, etc) basis with a .htaccess file (or vice-versa), assuming you have Apache. This will mean all new clients will have the setting to OFF, and will do things the right way from day 1. It will also allow existing clients to modify their setting to OFF (as I do on a shared server) to keep things a little more secure. You could also advise all existing clients of a planned changeover in 12 months, offer code advise (including a simple function at the top of each script can push all $_GET['var'], POST, SESSION, etc vars into standard $vars), and document the many security holes and benefits of upgrading over time. In 12 months, you can changeover to OFF in the php.ini file. At which time coding practices, books, websites, applications and all the rest will be much more inline than they are now. Justin French on 01/07/02 1:12 AM, PHPCoder ([EMAIL PROTECTED]) wrote: Hi Going through some literature, it seems like the use of registered globals can cause security issues. Now, the dilemma, all my previous PHP installations ( for the last year or so ) have come with register globals = on in the php.ini file by default, and users on my system has happily coded their websites using this function. Now , with all the new versions of PHP, the registered globals are turned off in the ini and will basically cause all those previous sites not to function. Which means that I'm between a rock and a hard place, turn the register globals back on and carry on with the security risks, or keep it off and have all those people re-code their sites... Is there a more gentle solution out there? Am I just misunderstanding the issue? Any light on the matter will be appreciated. Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
