php-4.3.1-Win32 is my php version, anyone understand what I am to do, in
turning this off as stated above?
TIA
Shayne
This should be a starting point as it's related to register_globals.
http://www.php.net/manual/en/security.registerglobals.php
HTH,
/Andreas
--
Registeret Linux user #292411
"Sometimes it's hard to see the forest for all those trees!"
Read elsewhere: "Need a vacuumcleaner? - Get me, I suck!"
Yes, read about "register_globals." The new documentation talks
specifically about this change. But let me briefly describe it here...
In earlier releases of PHP, all of the variables that were specified on the
HTTP command-line (the "$GET" variables), and all of the post-data coming
in from the HTML form (the "$POST" variables), and local environment
variables were all "helpfully" registered as globals so that you could
refer to them by name.
The trouble is that a hacker can /intentionally/ produce an HTML stream
which contains "post variables" or "get variables" that you did not
actually set in your HTML form. In other words they're sending you a bogus
data-stream. Maybe they include "$logged_in = True" or "$user_name = root"
or whatever. The idea is to trick your script into doing something bad, by
setting the values of arbitrary variables(!) as long as they can merely
guess what they might be.
The current releases of PHP turn off the "register_globals" feature, and I
recommend that you should leave it off. Now, "get" and "post" and
"environment" variable settings are only loaded into an array, and it's up
to your program to access the specific variable settings that you need.
But now, /only/ the variable-settings you are aware of will be accessed by
your program.
If you want to adapt older code quickly, you can write a simple subroutine
that you call at the beginning of the code, passing it an array of all the
variable-names you care about. Conceptually the logic is like this:
foreach $name in $your_array:
if the PHP globals-array contains $name then:
global $name
$$name = PHP globals-array[$name] { notice double '$$' }
Presto... the specific variables that you're interested in are now
"registered as globals" and your code will work as before... /but/ _only_
the variable-names you intend to register, and are aware that you are
registering, will be registered. Any "rogue" variable settings a hacker
might introduce are ignored.
[P.S. It's great fun to do this sort of tinkering with ASP scripts. And
scary too, e.g. with the software of your local bank. Lots of programmers
out there do not "think like a hacker."]