elira529 Posted August 17, 2006 Share Posted August 17, 2006 I have been told that disabling register_globals is the way to go for security purposes. Reduces risk of web site hacking. Is this true? Any disadvanagtes to turning this off? Thanks! Link to comment Share on other sites More sharing options...
Iggy Posted August 17, 2006 Share Posted August 17, 2006 I have been told that disabling register_globals is the way to go for security purposes. Reduces risk of web site hacking. Is this true? Any disadvanagtes to turning this off? Thanks! I'm experimenting with the Register Globals contrib and so far the only contrib it's busted (out of a list of 40 including UltraPics, CCGV and SPPC) has been the Attribute Manager contrib. I was able to fix it using the trouble-shooting guide included though. So, depending on what contribs you want to use (and it looks like most won't cause any issue) I have to say I don't see any disadvantage and only +s. Haven't gotten around to PayPal IPN as of yet. Maybe someone can pipe up on their experiences? HTH, Iggy Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
maritc Posted August 18, 2006 Share Posted August 18, 2006 I'm experimenting with the Register Globals contrib and so far the only contrib it's busted (out of a list of 40 including UltraPics, CCGV and SPPC) has been the Attribute Manager contrib. I was able to fix it using the trouble-shooting guide included though. So, depending on what contribs you want to use (and it looks like most won't cause any issue) I have to say I don't see any disadvantage and only +s. Haven't gotten around to PayPal IPN as of yet. Maybe someone can pipe up on their experiences? HTH, Iggy How can I make my store work without having register_globals on? My host is switching me to a more secure server, and they recommend having it disabled, as a security feature. On the test run they were doing, I got the error message FATAL ERROR: register_globals is disabled in php.ini, please enable it! when I tried to access the store. So will it work at all if it is disabled? If not, is there a way to make it work? I don't use many contributions, only a Paypal one and Center shop. TIA! :) Link to comment Share on other sites More sharing options...
Iggy Posted August 18, 2006 Share Posted August 18, 2006 Click on Register Globals in the post above to see the contrib. HTH, Iggy Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted August 18, 2006 Share Posted August 18, 2006 Just as an aside I've been trying to get Admin Access Levels to play nice with register_globals off and it's a long hard slog of a time (at least for me). Just FYI for anyone considering it. It's about halfway functional out of the box but unable to edit/update individual admin info under My Account. If you get it working (or find a post with someone who has) do come back and tell me how :lol: Iggy Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted August 18, 2006 Share Posted August 18, 2006 register_globals can be enabled on Apache webservers by editing the .htaccess file. There are statements in there to enable and disable certain PHP configuration values, are however disabled (commented out) by default. , osCommerce Link to comment Share on other sites More sharing options...
cowlesj Posted August 19, 2006 Share Posted August 19, 2006 register_globals can be enabled on Apache webservers by editing the .htaccess file. There are statements in there to enable and disable certain PHP configuration values, are however disabled (commented out) by default. I just downloaded the latest code and was genuinely shocked to see that it still required register_globals to be enabled in the core system. This is not difficult to fix although the contrib is flaky, as we found, and of course you have to be careful with other contribs that use it. But the point is that the core system shouldn't require a contrib to workwithout register globals. Regardless of backwards compatibility the core should be changed as a matter of urgency and no further milestone upgrades should appear until it has been done. Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted August 19, 2006 Share Posted August 19, 2006 The 2.2 release will remain with register_globals needed to be enabled. If you know of a security flaw because of this then please inform the team about it. (ie, because 2.2 needs register_globals enabled, it does not mean it is insecure) Making the 2.2 release register_globals compatible will mean the contributions for it will no longer work. In fact, any sorts of these changes in the 2.2 framework will break compatibility with the contributions. That is why 3.0 is basically a rewrite, as when we need to break compatibility, then we're doing it completely. , osCommerce Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.