Re: [PHP] How to set register_globals=off in the script?
Sebastian wrote:
if the script isn't that big you can probably use extract() in most
cases..
NOTE: Using extract() blindly import all the variables in
$_GET/$_POST/$_REQUEST is no more safe than register_globals being ON
Don't get a false sense of Security
Also, it would be rather tricky for ini_set to change register_globals...
I mean, by the time you execute that line of PHP code, it's already TOO
LATE and the variables have already been defined.
What would one expect PHP to do in this case:
?php
$a = 5;
ini_set('register_globals', 'off');
?
So if I surf to http://example.com/index.php?a=4
would you expect the above code to:
A) Leave $a at 5
B) Leave $a 'unset'
C) Generate an error
D) Leave $a at 4
Okay, D) isn't even a reasonable answer, but, really, none of the others
are either.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to set register_globals=off in the script?
Yes and no... Here's what the manual has to say about this...Basically, you can't do it using ini_set, but you can do it using an htaccess file. http://us2.php.net/manual/en/ini.sect.data-handling.php#ini.register-globals register_globals boolean Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. As of PHP 4.2.0, this directive defaults to off. Please read the security chapter on Using register_globals for related information. Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals off. Note: register_globals is affected by the variables_order directive. On Tue, 21 Dec 2004 14:56:03 -0500, Jerry Swanson [EMAIL PROTECTED] wrote: I know that register_globals = on is not secure. But one program requires to use register_globals=on. So in php.ini register_globals is set to on. I have PHP 5.1, is it possible in the code set register_globals=off for specific scripts. So I want to keep PHP register_globals=on in php.ini, but in local files set to off? How I can do this? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to set register_globals=off in the script?
On Tue, 21 Dec 2004 14:56:03 -0500, Jerry Swanson [EMAIL PROTECTED] wrote: I know that register_globals = on is not secure. But one program requires to use register_globals=on. So in php.ini register_globals is set to on. I have PHP 5.1, is it possible in the code set register_globals=off for specific scripts. I'm afraid the answer is no, as the vars are globally set before running the first line of your script, so this parameter cannot be changed by code. But you can use some specific configurations if using Apache as the webserver: So I want to keep PHP register_globals=on in php.ini, but in local files set to off? How I can do this? If your server is Apache, you can modify locally modify the settings for a virtual server adding a line in the virtual server section in your httpd.conf file (and have off in your php.ini) php_flag register_globals = 1 Don't forget to restart Apache after adding this line. Also, you can set this line in the .htaccess file at the root directory for any website, and it will modify the setting only for that virtual server. The httpd.conf option is best as it is parsed only when Apache start, the .htaccess file is parsed for each file processed by the server. Hope this helps, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to set register_globals=off in the script?
I know that register_globals = on is not secure. But one program requires to use register_globals=on. So in php.ini register_globals is set to on. I have PHP 5.1, is it possible in the code set register_globals=off for specific scripts. So I want to keep PHP register_globals=on in php.ini, but in local files set to off? you could use .htaccess or httpd.conf files to set it http://us2.php.net/ini_set -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to set register_globals=off in the script?
if the script isn't that big you can probably use extract() in most cases.. is the script in its own directory? if so you can turn register globals on just for that one directory.. create an .htaccess file and add: php_value register_globals on then place the .htaccess in the directory where the script is located. - Original Message - From: Jerry Swanson [EMAIL PROTECTED] To: PHP List [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 2:56 PM Subject: [PHP] How to set register_globals=off in the script? I know that register_globals = on is not secure. But one program requires to use register_globals=on. So in php.ini register_globals is set to on. I have PHP 5.1, is it possible in the code set register_globals=off for specific scripts. So I want to keep PHP register_globals=on in php.ini, but in local files set to off? How I can do this? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to set register_globals=off in the script?
From: Jerry Swanson [EMAIL PROTECTED] I know that register_globals = on is not secure. bah... you can write secure scripts with it on or off. having it off by default simply helps to lessen some of the security issues that new programmers may not be aware of. But one program requires to use register_globals=on. So in php.ini register_globals is set to on. I have PHP 5.1, is it possible in the code set register_globals=off for specific scripts. So I want to keep PHP register_globals=on in php.ini, but in local files set to off? How I can do this? You can use an .htaccess file to turn it on or off for directories. I don't think it works for individual scripts, though. ---John Holmes... UCCASS - PHP Survey System http://www.bigredspark.com/survey.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
