[PHP] cok-Re: [PHP] Re: Session hijacking
Hey, Use an ini_set in your sessions script (I am assuming that you are using a seperate script to manage your sessions) Not really, I use authenticate for the login, then above each script i have a session_start() throughout the site. Its gotten to be a habit that i start a script with session_start() then continue writing. you might start looking for replacements for those scripts as it takes time to make the changes, but it has been a year since register_globals were turned off by default and mentioned that they were going away in the future. Ok, something to think about, I guess as i get some time I'll have to sit down and make those changes. In addition, take a look at some of the other suggestions that were made, beyond this one. Yep, lots of brainy guys here. Thanks for replying. Cheers, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: cok-Re: [PHP] Re: Session hijacking
$_REQUEST is a great superglobal, check it out... And at the top of the hijacked script: while(list($tmp1,$tmp2)=each($_SESSION)) $$tmp1=$tmp2; $tmp1=tmp2=NULL; Could work.. :p -- // DvDmanDT MSN: [EMAIL PROTECTED] Mail: [EMAIL PROTECTED] Ryan A [EMAIL PROTECTED] skrev i meddelandet news:[EMAIL PROTECTED] Hey, Use an ini_set in your sessions script (I am assuming that you are using a seperate script to manage your sessions) Not really, I use authenticate for the login, then above each script i have a session_start() throughout the site. Its gotten to be a habit that i start a script with session_start() then continue writing. you might start looking for replacements for those scripts as it takes time to make the changes, but it has been a year since register_globals were turned off by default and mentioned that they were going away in the future. Ok, something to think about, I guess as i get some time I'll have to sit down and make those changes. In addition, take a look at some of the other suggestions that were made, beyond this one. Yep, lots of brainy guys here. Thanks for replying. Cheers, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] DvDanDT-Re: [PHP] Re: Session hijacking
Hey, Thanks for replying. ** $_REQUEST is a great superglobal, check it out... And at the top of the hijacked script: while(list($tmp1,$tmp2)=each($_SESSION)) $$tmp1=$tmp2; $tmp1=tmp2=NULL; Could work.. :p Can you tell me what the above does please? (am quite a newbie) and whats the :-p for? plus is that double dollar ($$tmp) a typo? Thanks, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: DvDanDT-Re: [PHP] Re: Session hijacking
The 'above' would make all items of $_SESSION array into variables... Errm.. $_SESSION[id] would become $id, $_SESSION[username] would become $username and so on... Not completely sure this'll work, but most likely as they already exist and you only change their values, so they should remain globals... Guess it's just to try.. :p The $$ is not a typo, it means the name of the new variable should be the value of the other one... $tmp=hello; $$tmp = world; echo $hello; // will output 'world' -- // DvDmanDT MSN: [EMAIL PROTECTED] Mail: [EMAIL PROTECTED] Ryan A [EMAIL PROTECTED] skrev i meddelandet news:[EMAIL PROTECTED] Hey, Thanks for replying. ** $_REQUEST is a great superglobal, check it out... And at the top of the hijacked script: while(list($tmp1,$tmp2)=each($_SESSION)) $$tmp1=$tmp2; $tmp1=tmp2=NULL; Could work.. :p Can you tell me what the above does please? (am quite a newbie) and whats the :-p for? plus is that double dollar ($$tmp) a typo? Thanks, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Session hijacking
You cannot use ini_set() for register_globals. It must be done from .htaccess, httpd.conf or php.ini. http://www.php.net/manual/en/function.ini-set.php Edward Dudlik Those who say it cannot be done should not interrupt the person doing it. wishy washy | www.amazon.com/o/registry/EGDXEBBWTYUU - Original Message - From: J. Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, 19 October, 2003 20:30 Subject: [PHP] Re: Session hijacking Ryan A [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] NO! Globals are on And asking the others they tell me that around 20% of the scripts (around 300 scripts) wont function with globals off :-( What to do? Use an ini_set in your sessions script (I am assuming that you are using a seperate script to manage your sessions) to turn your registered globals off. Likewise though, you might start looking for replacements for those scripts as it takes time to make the changes, but it has been a year since register_globals were turned off by default and mentioned that they were going away in the future. In addition, take a look at some of the other suggestions that were made, beyond this one. J. Cox http://www.xaraya.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Session hijacking
off. Likewise though, you might start looking for replacements for those scripts as it takes time to make the changes, but it has been a year since register_globals were turned off by default and mentioned that they were going away in the future. That is a sound advice, some time ago a lot of my scripts were using globals on and as painful as it was I made the switch. In the long run it pays off. It makes your programming more secure by default. One quick way to globals is to simply find/replace in multiple files. Or declare the values at the beginning of your scripts Eg. $foo = $_POST[foo]; it does not fully utilise the globals off style of coding, but offers a quick fix during transition period, especially if you're paranoid about automatic find/replace R -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of J. Cox Sent: October 19, 2003 5:30 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: Session hijacking Ryan A [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] NO! Globals are on And asking the others they tell me that around 20% of the scripts (around 300 scripts) wont function with globals off :-( What to do? Use an ini_set in your sessions script (I am assuming that you are using a seperate script to manage your sessions) to turn your registered globals off. Likewise though, you might start looking for replacements for those scripts as it takes time to make the changes, but it has been a year since register_globals were turned off by default and mentioned that they were going away in the future. In addition, take a look at some of the other suggestions that were made, beyond this one. J. Cox http://www.xaraya.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
