Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

'register_globals' ON - Other PHP docs say NO!


RAINFIRE

Recommended Posts

I'd like to to address the register_globals issue. Most other PHP/Apache docs are telling me not to turn it on for security reasons. So . . . I have a couple of questions.

 

1. Has the osCommerce code been proven secure under this configuration? (with or without the Virtural Host solution)?

 

2. Is there a planned change to the osCommerce code so that register_globals will not have to be turned on?

 

Any thoughts? Don't really want to put up this solution if it is inherently insecure. Looks like a great package, though. and I really want to use it.

Link to comment
Share on other sites

1- YES

 

2 - See the Workboard at http://www.oscommerce.com/community/workboard

 

 

register_ globals is ONLY INSECURE if you misuse it and write INSECURE code!

 

Turning register_ globals=off does not make your code secure ether....

 

See http://ca.php.net/register_globals

 

Superglobals is to replace register_ globals - however you need PHP 4.1.0 or greater to fully support it. This would also break PHP3 compatablity.

 

Many server are still running older versions of php (before Dec 2001 - ie older than 4.1.0) - thus may not run correctly using only superglobals.

Link to comment
Share on other sites

This was a concern of mine as well. As far as I can tell, all session variables are wrapped in functions like tep_session_is_registered() which will prevent anyone from manually setting session variables through POST or GET while register globals is ON. Also, $HTTP_POST_VARS is used to access form submitted variables. Hmm... they must be making a transition from older code that does not access $HTTP_POST_VARS, etc, otherwise it seems like you could turn register globals OFF (haven't tried it myself).

 

The main thing to worry about when register globals is ON is validity of your session variables and that seems to be taken care of.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...