Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PHP warning being received

95 views
Skip to first unread message

Shayne

unread,
May 9, 2003, 11:04:43 AM5/9/03
to
Warning: Unknown(): Your script possibly relies on a session side-effect
which existed until PHP 4.2.3. Please be advised that the session extension
does not consider global variables as a source of data, unless
register_globals is enabled. You can disable this functionality and this
warning by setting session.bug_compat_42 or session.bug_compat_warn to off,
respectively. in Unknown on line 0


php-4.3.1-Win32 is my php version, anyone understand what I am to do, in
turning this off as stated above?


TIA
Shayne

Andreas Paasch

unread,
May 9, 2003, 12:15:52 PM5/9/03
to
Shayne wrote:

This should be a starting point as it's related to register_globals.

http://www.php.net/manual/en/security.registerglobals.php

HTH,

/Andreas

--
Registeret Linux user #292411
"Sometimes it's hard to see the forest for all those trees!"
Read elsewhere: "Need a vacuumcleaner? - Get me, I suck!"

Sundial Services

unread,
May 9, 2003, 1:44:54 PM5/9/03
to
Shayne wrote:


Yes, read about "register_globals." The new documentation talks
specifically about this change. But let me briefly describe it here...

In earlier releases of PHP, all of the variables that were specified on the
HTTP command-line (the "$GET" variables), and all of the post-data coming
in from the HTML form (the "$POST" variables), and local environment
variables were all "helpfully" registered as globals so that you could
refer to them by name.

The trouble is that a hacker can /intentionally/ produce an HTML stream
which contains "post variables" or "get variables" that you did not
actually set in your HTML form. In other words they're sending you a bogus
data-stream. Maybe they include "$logged_in = True" or "$user_name = root"
or whatever. The idea is to trick your script into doing something bad, by
setting the values of arbitrary variables(!) as long as they can merely
guess what they might be.

The current releases of PHP turn off the "register_globals" feature, and I
recommend that you should leave it off. Now, "get" and "post" and
"environment" variable settings are only loaded into an array, and it's up
to your program to access the specific variable settings that you need.
But now, /only/ the variable-settings you are aware of will be accessed by
your program.

If you want to adapt older code quickly, you can write a simple subroutine
that you call at the beginning of the code, passing it an array of all the
variable-names you care about. Conceptually the logic is like this:

foreach $name in $your_array:
if the PHP globals-array contains $name then:
global $name
$$name = PHP globals-array[$name] { notice double '$$' }

Presto... the specific variables that you're interested in are now
"registered as globals" and your code will work as before... /but/ _only_
the variable-names you intend to register, and are aware that you are
registering, will be registered. Any "rogue" variable settings a hacker
might introduce are ignored.

[P.S. It's great fun to do this sort of tinkering with ASP scripts. And
scary too, e.g. with the software of your local bank. Lots of programmers
out there do not "think like a hacker."]


0 new messages