On Wed, 2003-06-11 at 22:46, Ruth Gunstone wrote:
> In message <1055277400.1802.124.camel [at] elsol.zwan>
> "Mr. Adam ALLEN" <adam [at] dynamicinteraction.co.uk> wrote:
> > Making a few assumptions about your computers ;-) RH 7.3 or earlier on the
> > desktop based on your desktop RH 8.0 as I recall on the laptop.
>
> Both Mandrake distros - 8.2 on the PC and 9.1 on the laptop
>
That's ok, maybe it was Nicola I was thinking of- not the best person
for remembering names.
> O.k., I've changed the PHP configuration (took ages to find it!). I
> couldn't find "register_vars", but "register_globals" seemed to be relevant.
> Changed the setting to "On", but it didn't seem to work (also tried stopping
> and restarting httpd.) I read a bit (lot!) more of the How To's -
> particularly the comments regarding the security implications of global
> variables, and found the reference to adding the directive "php_flag
> register_globals" to an .htaccess file. THIS did the trick!
>
Not very good with flags as well as names ! register_globals is what I
meant.
> The security implication is quite interesting (although not very relevant in
> my case), so I intend to re-write the PHP to use the $_POST method. I just
> hope the goalposts don't move /again/ before I've finished!!! (This project's
> been on the go for a year!)
>
I've found the whole thing of the $_POST and $HTTP_GET_VARS to be a real
headache. Fortunately the legacy scripts are running with hosts who have
enabled register_globals.
From what I remember the security issue is with sloppy programming.
People doing something as stupid as
if($authenticated){ echo "This is the secret";}
Which is trivial to pass authenticted=1 with the request.
It's something which isn't an issue within my own scripts, but can
easily understand why others would fail under this. I ended up using a
bit of perl to do a conversion between $this to $_POST[this]. The
regular expression commented out converts from either $HTTP_POST_VARS{}
or $HTTP_GET_VARS to $_????{}.
The script was ok for my needs, but it's probably best to keep a backup
of the original scripts- until it's proved to have worked without
turning everything to garbage ;-)
#!/usr/bin/perl
#cat oldstyle.php | perl perlscript.pl >newstyle.php
while(<STDIN>){
# Convert $test to $_POST[test]
$_ =~ s/(\$)([A-Za-z0-9_]*)([\s|=])/\$_POST\[\2]\3/g;
# Convert HTTP_POST_VARS to _POST
#$_ =~ s/(\$HTTP_)(POST|GET)(_VARS)/\$_\2/g;
print $_;
}
Hope this helps,
Adam Allen.
adam@dynamicinteraction.co.uk
pgp http://search.keyserver.net:11371/pks/lookup?op=vindex&search=adam%40dynamicinteraction.co.uk
Attachment:
signature.asc
Description: This is a digitally signed message part