Php server set up problem

I have installed Apache and installed PHP. I have been recently working with Variables and passing them through a form… but to no success.

I looked over the code and found no problems… so I uploaded a simple Form to another web server and found the coding worked!

Which means I have not set up PHP with Apache correct…
I am reading through everything again… but would love to know if anyone has any helpful tips? I think it will end up being something simple…

This is my first install of Apache and PHP/mySQL

Sam. C:-)

I was just checking out a few more things…

; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = on

I changed this from OFF to ON… can anyone explain the little blurb more at the top?

To make long story short, it’s best to leave it OFF for the security reason which I don’t understand a bit… :slight_smile:

It was set to ON before but they changed it to OFF so there must be some good reason why they changed it… I am sure those PHP developers are whole lot smarter than those dumb-dumbs in M$… :smiley:
(The dumb-dumbs are those who sits in the high chairs… :gas: )

When this option is set to ON, ‘form’, ‘server’, and ‘enviromental’ variables become part of the global namespace automatically. This means that a remote attacker can create any variable they wish and have it declared in the global namespace.

The easiest example is having the ability to pass variables through the URL itself :

blaaa.com/anyoldpage.php?adminpassword=ok

My advice is to always have global_variables set to OFF and have a look at the use of SESSIONS in php for handling your variables.

HTH,

Carlitio.

register_globals=on is only a security risk if you use them. Having it set on will not do anything. But what register globals was, is lets say you have a form with an input box that was like this:


<input name="someInput" />

Now with register globals on and “using them”, $someInput would be a valid variable from the form. This was replaced by “superglobals”, which are $_POST, $_GET, etc… variables. So just having them on won’t do anything. It will only cause harm if you have a register global variable that you are using in a script that can be fudged with via get. ie. Lets say you have a global variable on a page that determines if you are an admin or not, $admin_level=1, then you can put this in a get url: somesite.com?admin_level=1 and you would get admin level access.

osCommerce is a well known application that is hacked together in a hodge podge mess. It still uses register globals. Chances are your host may still have them enabled for backwards compatability. But in essence there is no need to use them anymore.