On Wed, Nov 25, 2009 at 3:01 PM, Allen McCabe wrote:
> *Warning*: Unknown: Your script possibly relies on a session side-effect
> which existed until PHP 4.2.3. Please be advised that the session extension
> does not consider global variables as a source of data, unless
> register_globals is enabl
Are you running PHP as a Module or as CGI or FCGI?
Look at phpinfo() output to be SURE.
If it's not running as a Module, none of those directives are defined,
because Apache (which implements .htaccess) has no friggin' idea what
php_value or php_flag is without PHP Module there to tell it.
On We
Tijnema wrote:
On 6/7/07, Afan Pasalic <[EMAIL PROTECTED]> wrote:
hi,
this question is already posted thousand times. but, after I tried for 2
hours to figure it out, I gave up and posted the question here.
I'm rebuilding one site. php 4.4.4
as usual, register_globals on, as well as magic_quot
On 6/7/07, Afan Pasalic <[EMAIL PROTECTED]> wrote:
hi,
this question is already posted thousand times. but, after I tried for 2
hours to figure it out, I gave up and posted the question here.
I'm rebuilding one site. php 4.4.4
as usual, register_globals on, as well as magic_quotes.
I tried to tur
Firstly, welcome to PHP. :-)
Secondly, that's not how you would enable register_globals if they're not
enabled.
Thirdly, you do not want to turn on register_globals. register globals are a
security risk. They're disabled by default on any recent (within the past 5
years) version of PHP, alth
Hi Jeff,
You want to leave register_globals OFF. Depending on how $charid is passed,
you want to use $_POST or $_GET:
$charid = $_POST['charid'];
or
$charid = $_GET['charid'];
I think you'll need to do the same for your $db_select variable. Is that what
you're after?
Regards,
Bruce
>>>
Hello,
Sunday, April 4, 2004, 1:17:53 AM, you wrote:
n> Why i cann't change register_globals value with ini_set()?
Because it's a system level configuration value - you cannot change it
in your scripts.
register_globals supports PHP_INI_PERDIR and PHP_INI_SYSTEM - meaning
it can only be chang
Jay Blanchard wrote:
[snip]
But IE and Konqueror both load the info.php correctly from my end. It
is
the index.php for Nukemods.com that gets hosed in those browsers.
So you're saying that index.php is broken? Then why it gets loaded fine
if I delete the .htaccess file?
[/snip]
That is exactl
[snip]
> But IE and Konqueror both load the info.php correctly from my end. It
is
> the index.php for Nukemods.com that gets hosed in those browsers.
So you're saying that index.php is broken? Then why it gets loaded fine
if I delete the .htaccess file?
[/snip]
That is exactly what I am saying.
Jay Blanchard wrote:
[snip]
Actually, according to the info.php page for that directory
register_globals is ON as you desire...correct?
Correct, the .htaccess file overides just fine register_globals and
error_reporting but somehow Internet Explorer and Konqueror does not
load the page.
[/snip
[snip]
> Actually, according to the info.php page for that directory
> register_globals is ON as you desire...correct?
Correct, the .htaccess file overides just fine register_globals and
error_reporting but somehow Internet Explorer and Konqueror does not
load the page.
[/snip]
But IE and Konqu
Jay Blanchard wrote:
[snip]
If I create an PHP environment such that I don't need to override
register_globals and error_reporting with a .htaccess file it works just
fine, so I guess the problem is in the .htaccess file. I posted my
httpd.conf file at http://e-technics.com/dorna/httpd.conf.
If
[snip]
If I create an PHP environment such that I don't need to override
register_globals and error_reporting with a .htaccess file it works just
fine, so I guess the problem is in the .htaccess file. I posted my
httpd.conf file at http://e-technics.com/dorna/httpd.conf.
If I comment the lines
Jay Blanchard wrote:
[snip]
It doesn't work. After all a script that contains only phpinfo()
(e-technics.com/dorna/info.php) works OK, but the webpage, which is a
PhpNuke doesn't work.
[/snip]
Actually info.php works in IE and reports register_global is ON locally
(within that directory). There
[snip]
It doesn't work. After all a script that contains only phpinfo()
(e-technics.com/dorna/info.php) works OK, but the webpage, which is a
PhpNuke doesn't work.
[/snip]
Actually info.php works in IE and reports register_global is ON locally
(within that directory). Therefore, as I stated ear
To: [EMAIL PROTECTED]
Subject: RE: [PHP] register_globals problem
The only problem I see with that is that you're using the constants E_ALL
and E_NOTICE in the .htaccess file. You can't use constants there, you need
to use the actual number. (2047 & ~8) == 2039:
php_flag register_globals 1
[snip]
>
>Did you try the test.php above?
>
>
>
Yes, I have. Doesn't work.
[/snip]
Then your httpd.conf in not configured properly. It would appear to me
that PHP is not working at all. I went to the URL inquestion and did not
find this test page, so it will be hard for me to help you. Does PHP
Jay Blanchard wrote:
[snip]
Put a page in that directory called test.php with only
phpinfo();
?>
It doesn't work at all if I put AddType application/x-httpd-php .php
[/snip]
Did you try the test.php above?
Yes, I have. Doesn't work.
--
PHP General Mailing List (http://www.php.net
D]
Subject: RE: [PHP] register_globals problem
The only problem I see with that is that you're using the constants E_ALL
and E_NOTICE in the .htaccess file. You can't use constants there, you need
to use the actual number. (2047 & ~8) == 2039:
php_flag register_globals 1
php_fla
The only problem I see with that is that you're using the constants E_ALL
and E_NOTICE in the .htaccess file. You can't use constants there, you need
to use the actual number. (2047 & ~8) == 2039:
php_flag register_globals 1
php_flag error_reporting "2039"
Chris
-Original Message-
From:
[snip]
>Put a page in that directory called test.php with only
>
>
>phpinfo();
>
>?>
It doesn't work at all if I put AddType application/x-httpd-php .php
[/snip]
Did you try the test.php above?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Jay Blanchard wrote:
[snip]
I have a webpage that needs to use some specific php.ini settings
different from other php applications on my web server. I have created a
.htaccess file with the following content:
php_flag register_globals 1
php_flag error_reporting "E_ALL & ~E_NOTICE"
It works fi
[snip]
I have a webpage that needs to use some specific php.ini settings
different from other php applications on my web server. I have created a
.htaccess file with the following content:
php_flag register_globals 1
php_flag error_reporting "E_ALL & ~E_NOTICE"
It works fine, but only on Mozil
--- Fernando Melo <[EMAIL PROTECTED]> wrote:
> I was not making an assumption. I was stating a fact.
> "I get these using $_POST"
>
> I did NOT state that register_globals needs to be on to do what I'm
> doing.
If you're going to make false claims about what you previously said, you
might want t
---
From: Chris Shiflett [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 17:07
To: Fernando Melo; '[EMAIL PROTECTED]'
Subject: Re: [PHP] register_globals & security
--- Fernando Melo <[EMAIL PROTECTED]> wrote:
> I have a PHP application that passes variables (values) f
--- Raditha Dissanayake <[EMAIL PROTECTED]> wrote:
> At the risk of starting another flame war: IMHO switching off register
> globals and relying on $_POST etc can lull you into a false sense of
> security.
I agree, and this is more true with the safe_mode directive, which I have
always thought
--- Fernando Melo <[EMAIL PROTECTED]> wrote:
> I have a PHP application that passes variables (values) from a form.
> I get these using $_POST
>
> However I do also post some variables via a link. Which ofcourse
> requires register_globals to be ON.
This is a common problem I see on this list. Wh
with regards to security.
-Original Message-
From: Raditha Dissanayake [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 15:24
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals & security
Hi,
There is also a $_REQUEST variable.
At the risk of starting another flame war: IMHO swit
[snip]
There is also a $_REQUEST variable.
At the risk of starting another flame war: IMHO switching off register
globals and relying on $_POST etc can lull you into a false sense of
security.
[/snip]
***applause***
Bottom-lineas I just said in another threadinitialize your
variables an
Yup I still don't see how it improves anything with regards to security.
-Original Message-
From: Raditha Dissanayake [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 15:24
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals & security
Hi,
There is also a $_REQUEST var
still picked up the same way from a URL
-Original Message-
From: Jon Haworth [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 13:28
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals & security
Hi Fernando,
I have a PHP application that passes variables (values) from a fo
On Thu, Nov 13, 2003 at 01:55:08PM +0200, Fernando Melo wrote:
: Jon Haworth responded:
: : Fernando Melo wrote:
: : >
: : > I have a PHP application that passes variables (values) from a form.
: : > I get these using $_POST
: : >
: : > However I do also post some variables via a link. Which ofcou
Thanks.
I don't see how this makes it more secure though?
The values are still picked up the same way from a URL
-Original Message-
From: Jon Haworth [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 13:28
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals & sec
Hi Fernando,
> I have a PHP application that passes variables (values) from a form.
> I get these using $_POST
>
> However I do also post some variables via a link. Which ofcourse requires
> register_globals to be ON.
Do you mean variables in a URL, like this:
www.example.com/index.php?foo=1&bar
Please include the list in all of your replies. I skim message subjects and
don't read all messages. If you reply only to me, there's a good chance it will
not be read, and no one else will have a chance to answer your question.
--- [EMAIL PROTECTED] wrote:
> As i know, if register_globals is turn
--- [EMAIL PROTECTED] wrote:
>
> The problem concern:
>
> The correct site is: www.gardafun.com with apache.1.3.27 and
> php-4.0.6 with register_globals = On
>
> The new webserver is 213.21.138.119 with suse8.2 apache1.3.27 and
> php-4.3.3 with register_globals=off in the php.ini and in the
> .h
--- [EMAIL PROTECTED] wrote:
> In the php.ini I have set the registr_globals=3D Off
I'm assuming that 3D was put in there by some faulty mail client? Also, make
sure you spell it register_globals.
> php_flag register_globals on for only this site.
>
> With the function phpinfo I have see that th
[snip]
With the function phpinfo I have see that the Master Value is Off and
the=
Load Value is On but the site don't running successfully.
With suse8.1 with php4.2.2 I have nothing problem.
Any idea ?
[/snip]
Does the site rely on files outside of that directory? Do you 'allow
overrides' for the
On Sat, 27 Sep 2003 20:05:10 -0400
"Damon Kohler" <[EMAIL PROTECTED]> wrote:
> Well, it does turn off. At least phpinfo() says that it's off.
> However, PHP is acting as though it's still turned on. The source
> code for the page I'm using to test this odd result is:
>
>
> I'm running PHP 4.3.3
I don't think so... You have something particular in mind? You can check out
the page itself at http://my.innermetrix.cc/test.php
Damon
"Robert Cummings" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Are you using third party code that might be doing the export to global
> space i
Are you using third party code that might be doing the export to global
space itself?
Rob.
On Sat, 2003-09-27 at 22:21, Damon Kohler wrote:
> No, it's not cached. I can type in anything to the input and it'll show up.
> As in, if I type "test" into the form, it prints test. Then if I type "hello
No, it's not cached. I can type in anything to the input and it'll show up.
As in, if I type "test" into the form, it prints test. Then if I type "hello
world" it'll print hello world. So I'm pretty sure caching isn't the
problem.
Damon
"Cristian Lavaque" <[EMAIL PROTECTED]> wrote in message
new
I don't know much about this, but could it have been cached?
Cristian
Damon Kohler wrote:
> Well, it does turn off. At least phpinfo() says that it's off.
> However, PHP is acting as though it's still turned on. The
source
> code for the page I'm using to test this odd result is:
>
>
>
>
>
>
Rather than turning on register globals system wide I'd use .htaccess to
enable register globals for the specific sites or applications that
require them. Because the super globals have been introduced the
problem with register globals and application security may be more
prounounced for appli
Try restarting your apache.
-murugesan
- Original Message -
From: "Deependra b. Tandukar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 03, 2003 10:09 AM
Subject: [PHP] register_globals
> Hi,
>
> I have configured PHP 4.3.3 in which register_gloabals is set to b
Deependra b. Tandukar wrote:
Hi,
I have configured PHP 4.3.3 in which register_gloabals is set to be off.
I modified etc/php.ini and set it to be On but still it shows it is off
and some developed applications in php are asking for it to be turned
on. How do I do this?
Did you restart the web
Hi,
I think you want to use:
php_value register_globals Off
I have this setup in VirtualHost's and in .htaccess files. The
difference between php_value and php_admin_value is that php_admin_value
can not be overridden in a .htaccess file or VirtualHost. So if you want
to enforce some settings a
Well, I know it has something to do with register_globals, because it
only starts working when I turn register_globals on. If it is off, the
script doesn't work.
Here is the php file that calls to the class. It doesn't seem to have
anything that is global, but as I said before, I am not very fa
> I found a class that allows you to have a multiple page listing, where
> it displays a certain number of items, and then you click on the next
> page to show the next results. I found that it needs to have
> register_globals turned on. I am learning, and would like to have
> someone look at the c
> I'm thinking of running a shopping cart package (osCommerce)
> that requires
> register_globals to be enabled. With all the warnings about
> security with
> register_globals enabled I'm worried.
>
> How dangerous is it?
The key defensive step is to initialize all of your session variables at
yeh, I'd strongly agree with Jonathan's view that quality of the code can
mitigate against the dangers of register_globals.
FYI, an interesting article on php vulnerabilities is at:
http://www.securereality.com.au/studyinscarlet.txt
David Eisenhart
"Jonathan Pitcher" <[EMAIL PROTECTED]> wrote i
Sam,
The register_globals can be dangerous to turn on but it really depends
on the quality of code that the shopping cart was written. See
Examples below for explanation.
Say you had a script that looked like this.
$Q = "Select * from Stored CreditCards where User='$User'";
. Retriv
three solutions:
1. turn register_globals off for compatibility purposes via .htaccess
file in the script's directory
2. create a auto_prepend file with the following: extract($_GET), this
should do the trick
3. rewrite the whole code to make any user-input (form) variable to be
$_REQUEST or $_
on 29/01/03 6:41 AM, Kiswa ([EMAIL PROTECTED]) wrote:
change If($id==1){ to If($_GET['id']==1){
or put this line near the top of your script:
$id = $_GET['id'];
or, a little more anal:
if(isset($_GET['id'])) { $id = $_GET['id']; }
Justin
> Finansiering
> If($id==1){
> echo " color=\"#0
try using pear...
On Sat, 2002-11-16 at 22:53, Leif K-Brooks wrote:
> I'm looking for a good class for forms that will work with
> register_globals off. I was planning to modify Manuel Lemos's class,
> but it turned out to be too big of a task. Any ideas?
>
> --
> The above message is encr
On Thursday 14 November 2002 03:41, Marek Kilimajer wrote:
> Even if the method is post, you can have get variables, if the form has
> action="script.php?get_var=value"
Yes but I don't (need to) define my forms like that so I don't really care :-)
--
Jason Wong -> Gremlins Associates -> www.grem
Even if the method is post, you can have get variables, if the form has
action="script.php?get_var=value"
Jason Wong wrote:
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote:
I am planning to use Manuel Lemos's form class for a web site I am
working on. However, I need to have registe
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote:
> I am planning to use Manuel Lemos's form class for a web site I am
> working on. However, I need to have register_globals set to off. I was
> planning to rewrite the portions of the class that access submitted form
> values directly to u
At 21:05 12.11.2002, Mark Spohr said:
[snip]
>I'm trying to convert this to use $_POST() as such:
>
> if (@$_POST['form'] == "yes")
>{
>unset($_POST['form']);
>}
>
>However, this does not work. It appears that you can't unset the
>$_POST['form'] array eleme
> I'm working on a site where I'm using geeklog
> http://geeklog.sourceforge.net/
>
> It has the requirement that
>
> > "Geeklog needs the register_globals variable turned on in order to work.
> > Since PHP 4.2.0, the default for register_globals is "off". To fix it,
> > simply add the following l
-
>From: "Chris Hewitt" <[EMAIL PROTECTED]>
>To: "Ahmed Abdalla" <[EMAIL PROTECTED]>
>Sent: Tuesday, June 11, 2002 9:06 PM
>Subject: Re: [PHP] register_globals flag in some directories
>
>
>>Ahmed,
>>
>>The /etc/httpd/conf/httpd.
Mike,
Both of your bit of code are not equal.
On my ISP in 4.0.6 isset returned false if the variable was not existing OR
empty
in 4.2 isset returns true if the variable exists but is empty, so you may
want to check with empty instead of isset
Luc
At 12:16 10/05/2002 +0100, Ford, Mike
On Fri, 10 May 2002, Ford, Mike [LSS] wrote:
> Also, by using the $_POST, $_GET arrays, you know exactly where the
> input is coming from (even if register_globals is also on!). If you
> have register_globals set to on, and you just look to see if (say)
> $password has a value, whic
At 15:13 10/05/2002, Ford, Mike [LSS] wrote:
>I should have said "less secure" rather than "more secure".
>
>Am I right this time?
Yep :)
Zeev
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
> -Original Message-
> From: Ford, Mike [LSS] [mailto:[EMAIL PROTECTED]]
> Sent: 10 May 2002 12:54
> To: 'Zeev Suraski'
> Cc: [EMAIL PROTECTED]
> Subject: RE: [PHP] register_globals in php4
>
> > -Original Message-
> > From: Zeev Sura
> -Original Message-
> From: Zeev Suraski [mailto:[EMAIL PROTECTED]]
> Sent: 10 May 2002 12:36
>
> You meant it the other way around, didn't you? :)
Er, yes! ;)
(I cut-and-pasted one example to create the other, and then changed the wrong "on" to
"off"!!)
Cheers!
Mike
--
At 14:16 10/05/2002, Ford, Mike [LSS] wrote:
>No, but this:
>
> if (isset($password)): // register_globals on
> $super_user = $password==$super_password;
> endif;
>
> if ($super_user):
> // sensitive admin stuff
> endif;
>
>is more secure than:
>
>
> -Original Message-
> From: Kevin Stone [mailto:[EMAIL PROTECTED]]
> Sent: 09 May 2002 23:09
>
> Hmm. No offense ..., but I don't believe turning
> Registered Globals off
> will have any effect on security. Turning Registered Globals off just
> provides a more strict environment for c
On Thu, 9 May 2002, Kevin Stone wrote:
>> If register_globals is off, then you'll get $_GET['id'] = 3 and
>> $_GET['sex'] = female. It's then up to you to make sure those are okay.
>> But at least $id and $sex won't get set until you explicitly set them in
>> your code.
>
> Hmm. No offense Migue
- Original Message -
From: "Miguel Cruz" <[EMAIL PROTECTED]>
To: "Patrick Hsieh" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, May 09, 2002 11:52 AM
Subject: Re: [PHP] register_globals in php4
> On Fri, 10 May 2002, Patrick
- Original Message -
From: "Patrick Hsieh" <[EMAIL PROTECTED]>
> Hello list,
>
> php4.1 recommends to set register_globals=off in php.ini to make php
> more strict. My question is, if I turn off register_globals, what will
> happen if any malicious user just try to modify the variable val
On Fri, 10 May 2002, Patrick Hsieh wrote:
> php4.1 recommends to set register_globals=off in php.ini to make php
> more strict. My question is, if I turn off register_globals, what will
> happen if any malicious user just try to modify the variable values in
> the url? Say,
>
> http://www.domain
Looks like you forgot your ticks ' around the PHP_SELF. If I am correct,
it should be $_SERVER['PHP_SELF'].
Either way, you might want to try this. Somebody else posted it before and
I have been using it so that no matter what version of PHP my program runs
on, it should work.
if (isset($_SER
On Sun, 28 Apr 2002, Kirk Babb wrote:
> How do I use $PHP_SELF with register_globals off? I looked up the
> documentation on php.net but haven't gotten this line of code to work:
>
>
action=''
miguel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.ne
You are missing an ending quote to begin with. Either add it in and use
braces, or remove the quotes.
action = ''
or...
action = ''
or...
action = ''
Adapt to your needs...
---John Holmes...
> -Original Message-
> From: Kirk Babb [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 28
You would be better off reading the security chapter in the PHP
documentation. It is much better informed than that study-in-scarlet
thing.
On Mon, 1 Apr 2002, Erik Price wrote:
>
> On Sunday, March 31, 2002, at 04:05 AM, Liam wrote:
>
> > at the moment I have register_globals set to "on"
> >
On Sunday, March 31, 2002, at 04:05 AM, Liam wrote:
> at the moment I have register_globals set to "on"
> Is there any reason I should turn it off?
>
> What are the security risks of having them on?
I once asked this exact question, and here is the response I got -- I
found it very helpful:
On Sunday 31 March 2002 17:05, Liam wrote:
> 31/03/2002 9:05:53 AM
>
> Hi all,
> I'm running a webhosting service and I'm looking at security issues.
>
> at the moment I have register_globals set to "on"
> Is there any reason I should turn it off?
>
> What are the security risks of having them on?
> -Original Message-
> From: Richard Ellerbrock [mailto:[EMAIL PROTECTED]]
> Sent: 13 March 2002 14:25
>
> The following code generates a warning when register_globals=off and
> error reporting is set to E_ALL. How do I define the constant
> in another
> way not to generate a warning? Th
what command? if you're using ini_set you can't. in this case it'll set
the local value but it's of no consequence, register_globals has already
done its thing before getting to the script. use of .htaccess is
possible.
regards,
Philip Olson
On Thu, 13 Dec 2001, Charlie Killian wrote:
> I t
> I just come across and odd behaviour with the register_globals and
> session handling. The problem is that when I set the register
> globals to
> on I cannot access the session_variables through the associative array
> HTTP_SESSION_VARS. The manual says explicitly that with track_vars and
> reg
Refer to the PHP Manual for details.
http://www.php.net/manual/en/language.variables.external.php
The Manual is worth to read :)
(Don't forget to read FAQ also, it seems FAQ is updated recently)
Regards,
--
Yasuo Ohgaki
""hi"" <[EMAIL PROTECTED]> wrote in message
9acn9h$bgp$[EMAIL PROTECTED]">
hi [[EMAIL PROTECTED]] wrote:
> Hi,
>
> Could someone explain what the following passage in php.ini means:
>
> You should do your best to write your scripts so that they do not require
> ; register_globals to be on; Using form variables as globals can easily
> lead
> ; to possible security pro
> Could someone explain what the following passage in php.ini means:
>
> You should do your best to write your scripts so that they do not require
> ; register_globals to be on; Using form variables as globals can easily
> lead
> ; to possible security problems, if the code is not very well thou
Steve Haemelinck wrote:
> Does the PHP_SELF variable only work if you have your
> register_globals on?
Probably.
> Is their an another for still using it ?
$putitinhere = getenv("PHP_SELF");
might work.
Or, if track_vars is ON (default since PHP 4.03 I think), you might
find it in $HTTP_SERVER
85 matches
Mail list logo
