Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Register_globals


elira529

Recommended Posts

I have been told that disabling register_globals is the way to go for security purposes. Reduces risk of web site hacking. Is this true? Any disadvanagtes to turning this off? Thanks!

 

I'm experimenting with the Register Globals contrib and so far the only contrib it's busted (out of a list of 40 including UltraPics, CCGV and SPPC) has been the Attribute Manager contrib. I was able to fix it using the trouble-shooting guide included though.

 

So, depending on what contribs you want to use (and it looks like most won't cause any issue) I have to say I don't see any disadvantage and only +s.

 

Haven't gotten around to PayPal IPN as of yet. Maybe someone can pipe up on their experiences?

 

HTH,

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

I'm experimenting with the Register Globals contrib and so far the only contrib it's busted (out of a list of 40 including UltraPics, CCGV and SPPC) has been the Attribute Manager contrib. I was able to fix it using the trouble-shooting guide included though.

 

So, depending on what contribs you want to use (and it looks like most won't cause any issue) I have to say I don't see any disadvantage and only +s.

 

Haven't gotten around to PayPal IPN as of yet. Maybe someone can pipe up on their experiences?

 

HTH,

Iggy

How can I make my store work without having register_globals on? My host is switching me to a more secure server, and they recommend having it disabled, as a security feature. On the test run they were doing, I got the error message FATAL ERROR: register_globals is disabled in php.ini, please enable it! when I tried to access the store. So will it work at all if it is disabled? If not, is there a way to make it work? I don't use many contributions, only a Paypal one and Center shop.

 

TIA! :)

Link to comment
Share on other sites

Just as an aside I've been trying to get Admin Access Levels to play nice with register_globals off and it's a long hard slog of a time (at least for me).

 

Just FYI for anyone considering it. It's about halfway functional out of the box but unable to edit/update individual admin info under My Account. If you get it working (or find a post with someone who has) do come back and tell me how :lol:

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

register_globals can be enabled on Apache webservers by editing the .htaccess file. There are statements in there to enable and disable certain PHP configuration values, are however disabled (commented out) by default.

 

I just downloaded the latest code and was genuinely shocked to see that it still required register_globals to be enabled in the core system. This is not difficult to fix although the contrib is flaky, as we found, and of course you have to be careful with other contribs that use it. But the point is that the core system shouldn't require a contrib to workwithout register globals. Regardless of backwards compatibility the core should be changed as a matter of urgency and no further milestone upgrades should appear until it has been done.

Link to comment
Share on other sites

The 2.2 release will remain with register_globals needed to be enabled. If you know of a security flaw because of this then please inform the team about it. (ie, because 2.2 needs register_globals enabled, it does not mean it is insecure)

 

Making the 2.2 release register_globals compatible will mean the contributions for it will no longer work.

 

In fact, any sorts of these changes in the 2.2 framework will break compatibility with the contributions. That is why 3.0 is basically a rewrite, as when we need to break compatibility, then we're doing it completely.

:heart:, osCommerce

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...