register_globals security risk

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My hosting provider has register_globals on. How big of a security risk is
this, and is there a workaround for it if I can't convince them to turn it
off? At the moment I am running phpbb and mantis on my site.

Re: register_globals security risk

On Thu, 18 May 2006 19:49:07 +0000, Ham Pastrami wrote:
Quoted text here. Click to load it

It's not a big risk if you don't code for it being on.  The risk comes in
using variables like $page when you should be using $_GET["page"].  The
latter cannot be faked, $page could have been set in any number of ways.

So, code sensibly and it doesn't matter whether register_globals is on or
off.  Code so that it must be turned on and you're potentially up the



Andy Jeffries MBCS CITP ZCE   | gPHPEdit Lead Developer | PHP editor for Gnome 2 | Personal site and photos

Re: register_globals security risk

Andy Jeffries wrote:

Quoted text here. Click to load it

I generally code specifically for it being *off*. e.g.

    if ($_GET['username']=='tom' && $_GET['password']=='secret1')
        $loggedin = TRUE;
    elsif ($_GET['username']=='dick' && $_GET['password']=='secret2')
        $loggedin = TRUE;
    elsif ($_GET['username']=='harry' && $_GET['password']=='secret3')
        $loggedin = TRUE;
    if ($loggedin)

With register_globals switched *on* a visitor can simply pass ?loggedin=1
and they get the secret stuff. So register_globals on can be a *serious*
security risk.

Luckily you can switch it off easily using, for example, .htaccess:

    php_value register_globals off

Toby A Inkster BSc (Hons) ARCS
Contact Me  ~

Re: register_globals security risk

Toby Inkster wrote:
Quoted text here. Click to load it

Yup, not only a good idea, it also makes the code more portable.

Quoted text here. Click to load it

Hmmz, important values like that are ALWAYS initiated in my scripts.


$logged_in = false;
if(//some validating){
    $logged_in = true;

Rik Wasmus

Re: register_globals security risk

Ham Pastrami wrote:
Quoted text here. Click to load it

One has to remember that register_globals is not a security risk in on
itself. The developers of PHP weren't that dumb. What they didn't
anticipate is people using include files as functions. Programmers with
a background in other procedure languages like C just don't do that.
Include files are for loading in definitions, not to cause things to

Take a look at the code and if there are places the script does
something by including a file.  If so, you probably have a
vulnerability somewhere.

Site Timeline