Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Installing with register_globals off


JohnnieC

Recommended Posts

Posted

My current host has register_globals turned off. In addition, the setup of my host prevents one from using the .htaccess or custom pho.ini method to turn globals on. I have found a Register Globals contribution. I was wondering if this was a goord workaround.

 

The reason I ask is for long-term reasons. Granted the contribution will allow me to install and run osCommerce, however, how much do other contributions depend on register_globals being turned on? Below is the list of the following contributions that I plan on using:

  • Complete Review System
  • Google Checkout
  • PayPal IPN
  • Wishlist
  • IP Address Collector
  • Support System
  • FAQ System

In addition I may have to end up using a custom payment module whenever I decide to start using my own merchant system. My host states that it is more secure by them globally turning off register_globals and that script writers need to learn to write systems without depending on them. I am not an expert programmer.

 

What I would like to know is it really more secure having that turned off? Is it better to have that turned off, install the contribution, and take the risk of future contributions not working b/c of register_globals being turned off? Or is it just as secure to use a host that has them turned on?

Posted

If your host doesn't allow those settings, you don't have a choice since the shop won;t work otherwise. You will have to install that conribution and deal with any problems it causes as they arise.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Posted
If your host doesn't allow those settings, you don't have a choice since the shop won;t work otherwise. You will have to install that conribution and deal with any problems it causes as they arise.

 

Jack

 

But does their precautions actually make an osCommerce installation more secure than a host that does have register_globals on?

Posted
But does their precautions actually make an osCommerce installation more secure than a host that does have register_globals on?

This issue comes up all the time - do I or don't I?

 

Personally, I wouldn't run ANY web application (OSC or otherwise) with register globals enabled. In my mind, it's a security risk that you don't have to take. That's why I wrote the register globals contribution!

 

Some people disagree with this opinion and say that OSC does not have any bugs in it that can be exploited via register globals being enabled. Well, I'm not going to rubbish anyone's opinion, but I would ask you to consider the following :-

 

1/ How do you KNOW OSC does not have any bugs that can be exploited? I don't know that. Even if I'd written it (which I didn't), I would not trust it to have no bugs of this type. I've been writing software for well over 25 years now and know better than to say that something does not have any bugs in it!

 

2/ Even if OSC were to be PROVEN not to have any bugs in it that could be exploited in this way, what about the contributions / patches that EVERYONE adds to their OSC codebase? How good is the author of the contribution? Does he/she know what he/she's doing? Are you certain that none of the contributions you are using have security issues? I'm CERTAINLY not!

 

3/ And lastly, even if you could satisfy points 1 and 2 (which you won't be able to!), having register globals enabled on the server means that other PHP applications would also be vulnerable in this way (accepting that RG can be switched on and off in .htaccess, but use of .htaccess is a hack and nobody will ever convince me otherwise - but that's another issue).

 

The problem you may have if you apply the RG patch and switch off RG is that one or more of your contributions will break as a result. Having said this, most contributions actually will work ok (either by accident or design), and of those that will not, they can be easily fixed. I have seen in these forums several fixes for other contributions to make them work with RG off. So, the problem may not actually be as big as you think. There are also some notes in the RG contribution to help point you in the right direction with correcting other contributions to work with RG off.

 

And lastly, if you find a contribution that persists in relying on RG being set then ask yourself "do I want to be using this contribution?". There is NO EXCUSE (and never has been!) for writing a contribution that relies on RG being on. The RG issue has been known about for many years now and to continue to rely on its presence is nothing less than sloppy coding and reflects very badly on the author. Why would you want to use a contribution written by someone with sloppy coding practices? - see point 2 above :-)

 

Rich.

Posted
Why would you want to use a contribution written by someone with sloppy coding practices?

 

Well, that reduces people's options to around 1 or 2 percent of available contributions :D

 

Apparently inserting an extra image on a page is a 'Contribution'.

 

Vger

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...