Turn register globals off

Worker Joined: Feb 18, 2006 Posts: 155 Location: Virginia

Is it ok to add this to the top of the .htaccess file in the nuke root?

Code:

php_value register_globals 0

Posted: Sun Nov 11, 2007 5:01 pm

Hummm ... I doubt it. Much of the Nuke "native" code depends on having register_globals on. I am just learning about all this but my understanding is:

-if you were writing a system from scratch you'd have it off and code with the knowledge that it was off
-but Nuke wasn't written that way and a lot of the programs depend on it

I also don't know if that would work in .htaccess but that's a separate issue.

Have you tried any experiments using this? What are you trying to do -- I mean where did you get the idea to do this? I'm really just curious for my own understanding.

registered · Posted: Sun Nov 11, 2007 7:35 pm

Actually phpNuke works just fine with register_globals off. It will go ahead and call the function to mimic register_global's functionality - import_request_variables

I personally turn off register_globals unless a script requires it.

Posted: Mon Nov 12, 2007 9:35 am

Just to further my understanding I looked this up in mainfile.php. The code Evaders (I think) is referring to is:

Code:

if (!ini_get('register_globals')) {


    @import_request_variables('GPC', '');


}

So at least within Nuke system I'm not sure whether fiddling with htaccess the way that was originally proposed in this thread has any advantage. In a lot of the code in Nuke you'll have a form with, say a field called "foo" and then the form will be passed to the action script where the script will just access the variable $foo without doing an explicit $_POST['foo'] on it and with very little if any validation. From a maintainability point of view, as well as for security, it would be much better to explicitly retrieve variables from the $_POST array.

registered · Posted: Mon Nov 12, 2007 7:36 pm

It helps only if you also desire to have other non-nuke scripts on your server. Anything below the root will pick up the fact that register globals is off. Therefore, IMO, it doesn't hurt and can actually add a little bit of "security"... notice I said "little bit"????? Wink

Posted: Tue Nov 13, 2007 5:06 pm

So will the htaccess entry i listed above work for this? I tried this on a
joomla site that I was playing around with and it worked. Just not
sure.

Posted: Tue Nov 13, 2007 6:16 pm

I think the consensus is:

1. it is irrelevant within Nuke, as long as mainfile is called you will have the effect of having register globals on.

2. you could have some "little bit" of additional security if you are not using Nuke and this works.

I have not tried the specific htaccess command. Maybe someone else knows off the top.

To test it, just write a form. It just has to have one input field and an action to another program (php). Say the input field is "foobar". In the program that processes the form try to access the input field as $foobar without doing a $_POST['foobar']. If you can access it then the htaccess command didn't work. If you can't it did. Unless, of course, your php.ini turned register globals off in the first place. In that case your htaccess command is duplicative and irrelevant.

Posted: Tue Nov 13, 2007 7:16 pm

utssace, the best way to test is put that line in your .htaccess and then create a file with whatever name you want with a .php extension with the following:

Code:




<?php


phpinfo();


?>

And then run that from wherever you want on your server underneath that .htaccess file. Look to see if the register globals for local settings is OFF.

Do NOT post the results of that script here!!!!!! It is very sensitive info and delete the file once you have the output.