Re: register_globals - turning on

From: John (duc_at_ula.com)
Date: 07/15/04 

Date: Thu, 15 Jul 2004 18:07:38 +0100

On 14 Jul 2004 05:42:57 GMT, A strange species called
gordonb.qoifh@burditt.org (Gordon Burditt) wrote:

>>I've RTFM at:
>>http://de2.php.net/manual/en/security.globals.php
>>
>>I'm a bit confused though and need a little clarification.
>>
>>I'm running locally and register_globals is off because it isn't
>>enabled anymore in new versions of PHP because of potential security
>>issues, though I understand that the security issues are mainly
>>programmers not being aware of this and using code that could be
>>exploited.
>>
>>As I understand it most hosts have register_globals switched "ON" by
>>default because of the history of PHP.
>
>I hope that isn't true, and it should be becoming less true as
>time goes on.
>
>>>From what I have read I get a little confused. I need to turn "ON"
>>register_globals otherwise I can't finish off my login pages and use
>>sessions in PHP.
>
>I recommend that you write PHP code for non-obsolete versions of
>PHP.
>
>>
>>However, the advice in one of the posts in the manual at php.net, says
>>to make sure register_globals is OFF to 'avoid session problems'. It
>>also recommend to create a .htaccess file in the document root that
>>contains the following settings:
>
>>1. Set register_globals to off.
>>2. Load your fixed include paths.
>>3. Relocate your session file storage folder away from the default
>>'/tmp'
>>
>>Firstly, I'm not too sure what exactly a .htaccess file is? Is it
>
>A .htaccess file is an Apache configuration file. *IF* you are
>allowed to use one, you may put it in your web directory and it
>affects all subdirectories under that directory, unless overridden
>by a .htaccess file in a subdirectory. One thing a .htaccess file
>can do is set per-directory options for PHP when it is run as
>an Apache module (using it as a module is the standard setup).
>
>>just like an include file that each page references and loads the
>>settings from?
>>
>>It suggests the following for the .htaccess file:
>>
>>php_flag register_globals off
>
>Turns register_globals off. Duh!
>
>>php_value session.save_path /home/user/siteroot/sess/users
>
>Sessions contain persistent data, and you have to have
>some place to save this data. This specifies where.
>/tmp is not a particularly secure place for it, especially
>if you share the server with other people. The web server
>user needs to be able to read and write files here.

So basically using the .htaccess is a safe way of enabling sessions to
work, without having to turn on resgister_globals.

>>php_value session.gc_maxlifetime xxx
>
>How long to save data for sessions that go stale.
>"gc" stands for "garbage collection" (of sessions).
>
>>php_value include_path .:/home/user/siteroot.com/sess
>
>Where to look for stuff included with "include".
>
>>php_value auto_prepend /home/user/siteroot.com/sess/path_file.php
>
>Stick this file on the beginning of every PHP page processed. (an
>"automatic include"). It can, among other things, start up your
>sessions.

Do I stick that at the start of every single page or just the ones
requiring users to be logged in to access?

>>I'm not too sure on what all the above does, except for the first
>>line, so if you could break it down for me I'd be very grateful. The
>>paths are a tad confusing as well. I'm not too sure how that would
>>relate when I'm running locally, or if I'm with a host? I wouldn't
>>know what if anything the paths would need changing to.
>
>The paths need to EXIST and point to disk space you can control.
>In the case of session data, the web server needs to be able
>to read and write files there. In the case of the include directory,
>the web server needs to be able to read files there, and you
>probably shouldn't let anyone else write on them.

This include path. Is this just where you would put all the .inc
files that contain the username, password and db connection info etc?

>>John
>>
>>PS. If anyone watches the series Stargate SG-1 I am very much like the
>>character O'Neil played by Richard Dean Anderson ex MacGyver fame. In
>>the series he always gets lost with the technical scientific terms and
>>needs things explaining more simply :)
>
>Can I have a sample of Naquadria?

I don't think they've discovered any on this planet yet, though a lot
of the stuff we have is just as bad. You can probably get some red
mercury in a can of Coke if you visit one of the ex-Soviet countries.
I heard they sell them for less than the original product it
contained.

Cheers for your help

John