 Security Check Php Register_globals, When installing Joomla on trap17 |
|
|
|
|
  |
 Oct 28 2006, 07:43 AM
Post
#1
|
|
|
Super Member  Group: Members Posts: 413 Joined: 4-October 06 From: Psychedelic Realms Member No.: 31,079  |
Joomla shows this warning
QUOTE Following PHP Server Settings are not optimal for Security and it is recommended to change them: * PHP register_globals setting is `ON` instead of `OFF` Well it shows two warnings but the other one i can change. Is this something i, or you should be woried about or is it normal... |
 |
 
|
|
Oct 28 2006, 09:24 AM
Post
#2
|
|
|
A computer once beat me at chess, but it was no match for me at kick boxing.  Group: [MODERATOR] Posts: 3,994 Joined: 24-July 05 From: In Trouble Again... still? Member No.: 9,787  |
QUOTE(Larry Ullman @ Author) Now, with register_globals, I should first clarify that turning register globals on IS NOT a security risk or a bad idea. And turning it on for a local server is definitely NO security risk. RELYING upon register globals is a security risk and a bad idea but just having this setting on is fine (and very common for hosted servers). Source As quoted on another Forum I belong to which deals strictly with PHP and Mysql matters. And the php.net page which discuses the topic is here: http://us3.php.net/manual/en/security.globals.php. Nothing to be worried about if the variables and coding are properly managed. Biggest thing to remember: NEVER, EVER trust user data. Always cleanse it using the method appropriate to the data source and the data target. Stripslashes(), html_entities(), magic_quotes_gpc all have different intentions and should be used accordingly. |
|
|
|
|
Oct 28 2006, 01:51 PM
Post
#3
|
|
|
A clever man learns from his own mistakes, a WISE man learns from those of OTHERS Group: [HOSTED] Posts: 981 Joined: 12-April 06 From: Essex, UK Member No.: 21,719 |
As those websites and jlhaslip said you can leave it on but i generally turn it off because as said it makes writing vulnerable code so much easier and i think it can also be a risk from SQL injection (eg putting a query into the url and having the website execute it and showing the attacker sensitive information.) The only real difference Ive ever noticed is that by having it on you have to type code like
CODE $user = $_POST['user']; because (as is the point with register_globals) the code will not automatically take the value of the post variable 'user' and plant it into the variable $user. For development i also find it easier to have it off so that i must use code like above in the event that a host has it off too and i cant change that then i wont have to modify my code. And definitely use the functions jlhaslip said to make sure that input is safe(ish) for the code to use. |
|
|
|
|
Oct 29 2006, 09:35 AM
Post
#4
|
|
|
Super Member Group: Members Posts: 357 Joined: 8-April 06 Member No.: 21,487 |
Dear matak , i think its better to use mambo script , Joomla has many bug and its not very good and secure script
use mambo its real cms thanks |
|
|
|
|
Nov 17 2006, 07:16 PM
Post
#5
|
|
|
-=Hybrid Bus=- Group: Members Posts: 744 Joined: 2-November 05 From: My hybrid bus (in NYC), a computer Member No.: 13,709 |
QUOTE(farsiscript @ Oct 29 2006, 04:35 AM)  Dear matak , i think its better to use mambo script , Joomla has many bug and its not very good and secure script use mambo its real cms thanks The Joomla project is actually a fork of Mambo, meaning some developers from Mambo said Bye Bye and borrowed the source code to make their own product (which is legally allowed under the GNU GPL). So if anything, Mambo and Joomla would constantly be competing for levels of security. And matak, don't worry about the Register Globals warning, I run Joomla and mambo with the same thing and I have no problems. This post has been edited by michaelper22: Nov 17 2006, 07:17 PM |
|
|
|
|
Nov 18 2006, 05:58 PM
Post
#6
|
|
|
Super Member Group: Members Posts: 357 Joined: 8-April 06 Member No.: 21,487 |
Yes Dear michaelper22
I Agree Your Post about mambo and Joomla , i test mambo and Joomla with register_globals , Thanks |
|
|
|
|
Nov 18 2006, 07:25 PM
Post
#7
|
|
|
Member [Level 3] Group: Members Posts: 95 Joined: 4-October 06 Member No.: 31,075 |
However, all the extentions/programs that extend mambo/joomla's functionalities have moved to joomla. Mambo doesn't have a lot left going for it at this point.
That being said I haven't had any problems with Joomla thus far... |
|
|
|
|
Mar 4 2007, 09:40 PM
Post
#8
|
|
|
Newbie [Level 2] Group: Members Posts: 35 Joined: 25-February 07 From: Trondheim, Norway Member No.: 39,211 |
THE SOLUTION:
In the folder /public_html there is a file which is called .access. Edit this file and enter at the bottom of the file this line: CODE php_flag register_globals off Then click save. Now register_globals is turned OFF in ALL subfolders! This code/solution is not originally by me but comes from this link: Click here. I will not take the honor of this code, but I felt like it was relevant to post it here. This post has been edited by lihuyt: Mar 4 2007, 09:41 PM |
|
|
|
|
Similar Topics