Guest Posted June 30, 2003 Posted June 30, 2003 Let's start with the problem: Using Register Globals Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0 and higher. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. When on, register_globals will inject (poison) your scripts with all sorts of variables, like request variables from html forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. Therefore the PHP community decided to disable this directive by default. Plain and simple it's just bad programming skills to set register_globals = on. BE ADVISED THAT SETTING YOUR GLOBALS TO ON, ACROSS YOUR ENTIRE SERVER IS NOT RECOMMENED, AT ALL!!!!!!! The Solution: First let me start by saying, you should never have a PHP script set running as a user that has serious enough access level to cause damage, always create a limited level user that your PHP scripts will run under. This is of course nill if you have scripts that require root. IF A SCRIPT REQUIRES ROOT, AND GLOBALS ON.... LEAVE IT ALONE!!! Now, to get the osCommerce working beyond the "global" problem create an .htaccess file and save it in your document root, normally the htdocs directory. In this htaccess file you should have this ONE line: php_value register_globals 1 that's it. This will enable glabals on a call by call basis for whatever the directory the .htaccess file is located, and is not a site wide change. This will also eliminate the need for going through all the files and adding headers. Hopefully this will put this problem to rest. Best regards Pat
alverman Posted June 30, 2003 Posted June 30, 2003 Doesn't this require also some permissions in httpd.conf ?
mattice Posted June 30, 2003 Posted June 30, 2003 Plain and simple it's just bad programming skills to set register_globals = on. Read this thread: http://www.oscommerce.com/forums/viewtopic.php?t=34536 Indeed, the httpd.conf needs to be configured so it allows this directive in a .htaccess file to overrule the global server settings. "Politics is the art of preventing people from taking part in affairs which properly concern them"
andredub Posted July 1, 2003 Posted July 1, 2003 Hi, What is httpd.conf ? OSCommerce is installed and I'm working (baby steps) on customizing it. I have tried turning off the register_global off and added the line php_value register_globals 1 in every .htaccess files I have found. When I tried going back in the catalog, I got FATAL ERROR: register_globals is disabled in php.ini, please enable it! Now... as do not think to roll out the application for months to come (possibly August-September 03), if I had a general idea of when 2.2 will be out, I may not even have to waste time on this issue right? I understand that osC doesn't want to commit on a delivery date of 2.2 but maybe someone could tell me (email me) if I should simply wait a bit to solve this. Regards, Andre
andredub Posted July 1, 2003 Posted July 1, 2003 Oups, I did not have the "notify me when a reply is posted. Please reply on this post. Thanks, Andre
alverman Posted July 1, 2003 Posted July 1, 2003 Hi Andre, httpd.conf is the server ( Apache ) configuration file, it's not part of OSC but the .htaccess files you edited rely on permissions set in that file. To modify httpd.conf you need root permission, if you are on a shared server, then ask the system administrator (your provider) to set the necessary permissions for your directory (where your site is loaded); if you are testing the site locally, you can find httpd.conf in apache/conf directory (usually). MS2 will not deal w/ register_globals disabled yet, see workboard. Do a search for "httpd.conf", there're many threads on the subject. HTH
andredub Posted July 1, 2003 Posted July 1, 2003 Hi Ivan, Thanks for your reply. I'm not using apache. I'm using IIS for the development phase Any sugestions? It's pretty disapointing to see that this issue is being address so far down the road. As my ISP Host won't let us set the REGISTER_GLOBALS on... I must thrive to find a solution that works. I think they are running Apache. Do you think they would agree to turn this thing in httpd.conf? Andre
alverman Posted July 1, 2003 Posted July 1, 2003 I've used IIS at the biginning (long time ago) and honestly I don't remember how to deal w/ it, I switched immediately to Apache w/EasyPHP which comes w/ MySQL - PHP - PHPmyAdmin and works great. There're several packages like that: http://sourceforge.net/projects/phptriad http://www.hotscripts.com/PHP/Software_and...Kits/index.html I think they are running ApacheAre you loading your files into a "www" directory ? most likely it's Apache.You can also create a info.php file (name "info" is just an example) w/ this code inside: <?php phpinfo(); ?> upload it to your server and then point to it w/ your browser, it should give you all the informations about the environment you are working in, including the "register_globals" setting. About your ISP, if I'm correct, every directory can have it's own settings/permissions, but you need to talk to them. HTH
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.