zamzmith Posted February 17, 2003 Share Posted February 17, 2003 With all the security warnings about register_globals On why doesn't anyone seem concerned about the osCommerce package requiring register_globals to be On? Has there been any discussion of a version that will run with "register_globals Off"? Link to comment Share on other sites More sharing options...
Mark Evans Posted February 17, 2003 Share Posted February 17, 2003 We plan of removing the register globals requirement before 2.2 is released as final. Mark Evans osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops) --------------------------------------- Software is like sex: It's better when it's free. (Linus Torvalds) Link to comment Share on other sites More sharing options...
sojomy Posted February 17, 2003 Share Posted February 17, 2003 With all the security warnings about register_globals On why doesn't anyone seem concerned about the osCommerce package requiring register_globals to be On? Has there been any discussion of a version that will run with "register_globals Off"? register_globals being ON is not a security hole. All it does is allow users to write bad code. Even with register_globals being OFF, users can still write bad code. There are just more ways to write bad code with register_globals being on. Since the developers of osCommerce seem to be a little farther advanced than "newb" status in PHP, I doubt that they (very often) use variables that are undeclaired, or use variable names/values from the URL without checking them first. As far as I know, those are the major reasons why people say "register_globals" on is bad. If you know how to program well, then you can safely leave it on. If you don't...learn quickly. Link to comment Share on other sites More sharing options...
Mark Evans Posted February 17, 2003 Share Posted February 17, 2003 Since the developers of osCommerce seem to be a little farther advanced than "newb" status in PHP Thanks ;) Yes we are aware of the problems relating to register globals and rest assured that we are doing everything possible to make osCommerce as secure as possible :) Mark Evans osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops) --------------------------------------- Software is like sex: It's better when it's free. (Linus Torvalds) Link to comment Share on other sites More sharing options...
cash Posted February 17, 2003 Share Posted February 17, 2003 All fine and dandy but how about some alternatives... eg. .htaccess php_flag register_globals on This works for backwards compatibilty with all of my other websites but not oscommerce..... I can't afford to change my php.ini for all of my sites because 1 requires it. It has been 4-5 months at least now since the php upgrade.... Link to comment Share on other sites More sharing options...
57chevy Posted February 20, 2003 Share Posted February 20, 2003 hi folks, where do i put this in my php.ini? php_flag register_globals on i'm running a wamp installation on my local machine thanks 4 ur help! stephan ... in the end, it will work Link to comment Share on other sites More sharing options...
Mark Evans Posted February 20, 2003 Share Posted February 20, 2003 I can't afford to change my php.ini for all of my sites because 1 requires it. It has been 4-5 months at least now since the php upgrade.... You can do it in the .htaccess file as you suggested so that is probrably the best way forward for you. The reason the problem is still there is because we are trying to maintain PHP3 compatability for 2.2. Once we get past 2.2 then PHP3 compatability will be dropped and things get much easier from then on :) Mark Evans osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops) --------------------------------------- Software is like sex: It's better when it's free. (Linus Torvalds) Link to comment Share on other sites More sharing options...
GIS_John Posted March 7, 2003 Share Posted March 7, 2003 How does one add the php_flag register_globals on to the .htaccess file? I'm a little new to this, so I'm not sure how to proceed. Thanks, John Link to comment Share on other sites More sharing options...
Timid Posted April 28, 2003 Share Posted April 28, 2003 Just edit .htaccess in PICO or VI or whatever and add that line and save it. easy :) Link to comment Share on other sites More sharing options...
PLMresearch Posted May 23, 2003 Share Posted May 23, 2003 The reason the problem is still there is because we are trying to maintain PHP3 compatability for 2.2. Once we get past 2.2 then PHP3 compatability will be dropped and things get much easier from then on :) For those of us not running in a PHP3 environment and willing to do some hacking, can you give a general idea what parts of the code rely upon Register Globals = on? Thanks, The optimist proclaims that we live in the best of all possible worlds! The pessimist fears this is true. Link to comment Share on other sites More sharing options...
sherman Posted June 30, 2003 Share Posted June 30, 2003 Hi! Isn't anybody going to answer the previous post? I don't think my host allows me to modify the .htaccess file. Thanks. Link to comment Share on other sites More sharing options...
sherman Posted June 30, 2003 Share Posted June 30, 2003 The reason the problem is still there is because we are trying to maintain PHP3 compatability for 2.2. Once we get past 2.2 then PHP3 compatability will be dropped and things get much easier from then on :) For those of us not running in a PHP3 environment and willing to do some hacking, can you give a general idea what parts of the code rely upon Register Globals = on? Thanks, Oops, my post ended in page 2. Anyway, this is the previous post I was referring to. Link to comment Share on other sites More sharing options...
sherman Posted June 30, 2003 Share Posted June 30, 2003 Before I forget, my host is running IIS 5 on a Win2000 server. Link to comment Share on other sites More sharing options...
Jason Jacobs Posted June 30, 2003 Share Posted June 30, 2003 Any variable that gets passed in from a form or in a url needs Register_Globals to be ON without the use of $HTTP_POST_VARS or $HTTP_GET_VARS, respectively. It will be a HUGE pain in the butt to find out which variables these are. -j Link to comment Share on other sites More sharing options...
PLMresearch Posted June 30, 2003 Share Posted June 30, 2003 For what it's worth, seems as though the osC programmers have been pretty good about using the $HTTP_POST_VARS or $HTTP_GET_VARS arrays. There are a bunch of globals declared in the functions however. Fully agree about the PITB tracking them down. If anyone has any magical ideas to expedite this process... I would like to shut Register_Globals off so I can sleep better at night ;-) The optimist proclaims that we live in the best of all possible worlds! The pessimist fears this is true. Link to comment Share on other sites More sharing options...
sherman Posted July 1, 2003 Share Posted July 1, 2003 Looks like I have little choice but to wait for the next release of osCommerce as my host does not allow me to make use of .htaccess files. Is there any other solution? Thanks. Link to comment Share on other sites More sharing options...
PLMresearch Posted July 1, 2003 Share Posted July 1, 2003 Get a new host :wink: ? If you can, I suggest using the banner in the upper right corner - They work great by me. The optimist proclaims that we live in the best of all possible worlds! The pessimist fears this is true. Link to comment Share on other sites More sharing options...
startanisp Posted July 29, 2003 Share Posted July 29, 2003 The the .htaccess file hack work if you are on Win 2K? Can seem to get it to work.. :?: Link to comment Share on other sites More sharing options...
josheli Posted July 29, 2003 Share Posted July 29, 2003 The the .htaccess file hack work if you are on Win 2K? .htaccess does not work with IIS, but if you have apache on win2k, it should work. However, you could try commenting out the "register_globals" check in 'application_top.php': /* if (function_exists('ini_get')) { ini_get('register_globals') or exit('FATAL ERROR: register_globals is disabled in php.ini, please enable it!'); } */ and replacing it with the following: $_GET =& $HTTP_GET_VARS; $_POST =& $HTTP_POST_VARS; $_ENV =& $HTTP_ENV_VARS; $_SERVER =& $HTTP_SERVER_VARS; $_FILES =& $HTTP_POST_FILES; $_COOKIE =& $HTTP_COOKIE_VARS; foreach($_GET as $gvar=>$gval){ $$gvar=$gval; } foreach($_POST as $pvar=>$pval){ $$pvar=$pval; } foreach($_COOKIE as $cvar=>$cval){ $$cvar=$cval; } foreach($_SERVER as $svar=>$sval){ $$svar=$sval; } foreach($_FILES as $fvar=>$fval){ $$fvar=$fval; } foreach($_ENV as $evar=>$eval){ $$evar=$eval; } foreach($_REQUEST as $rvar=>$rval){ $$rvar=$rval; } IN THEORY that should accomplish the same thing as register globals being on. the first part just makes the old globals and new globals reference the same values. and all the "foreach" 's do is assign all superglobal values to corresponding local values. note, there are also the $_SESSION and $HTTP_SESSION_VARS arrays, but they are trickier. for one thing, you can't deal with them until after this line in application_top.php: tep_session_start(); for another thing, osc *sort of* uses it's own session management, so doing the above trick with the $_SESSION variables may or may not work. none of this has been tested, but you can give it a shot. email me if you have questions or want help. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.