Jump to content
xisto Community
matak

Security Check Php Register_globals When installing Joomla on trap17

Recommended Posts

Joomla shows this warning

 

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

 

* PHP register_globals setting is `ON` instead of `OFF`

 

Well it shows two warnings but the other one i can change.

 

Is this something i, or you should be woried about or is it normal...

Share this post


Link to post
Share on other sites

Now, with register_globals, I should first clarify that turning register globals on IS NOT a security risk or a bad idea. And turning it on for a local server is definitely NO security risk. RELYING upon register globals is a security risk and a bad idea but just having this setting on is fine (and very common for hosted servers).

Source

As quoted on another Forum I belong to which deals strictly with PHP and Mysql matters.

 

And the php.net page which discuses the topic is here: http://us3.php.net/manual/en/security.globals.php.

Nothing to be worried about if the variables and coding are properly managed.

 

Biggest thing to remember: NEVER, EVER trust user data. Always cleanse it using the method appropriate to the data source and the data target. Stripslashes(), html_entities(), magic_quotes_gpc all have different intentions and should be used accordingly.

Share this post


Link to post
Share on other sites

As those websites and jlhaslip said you can leave it on but i generally turn it off because as said it makes writing vulnerable code so much easier and i think it can also be a risk from SQL injection (eg putting a query into the url and having the website execute it and showing the attacker sensitive information.) The only real difference Ive ever noticed is that by having it on you have to type code like

$user = $_POST['user'];

because (as is the point with register_globals) the code will not automatically take the value of the post variable 'user' and plant it into the variable $user.

For development i also find it easier to have it off so that i must use code like above in the event that a host has it off too and i cant change that then i wont have to modify my code. And definitely use the functions jlhaslip said to make sure that input is safe(ish) for the code to use.

Share this post


Link to post
Share on other sites

Dear matak , i think its better to use mambo script , Joomla has many bug and its not very good and secure scriptuse mambo its real cms
thanks

The Joomla project is actually a fork of Mambo, meaning some developers from Mambo said Bye Bye and borrowed the source code to make their own product (which is legally allowed under the GNU GPL). So if anything, Mambo and Joomla would constantly be competing for levels of security.
And matak, don't worry about the Register Globals warning, I run Joomla and mambo with the same thing and I have no problems.
Edited by michaelper22 (see edit history)

Share this post


Link to post
Share on other sites
THE SOLUTION:

In the folder /public_html there is a file which is called .access. Edit this file and enter at the bottom of the file this line:

php_flag register_globals off

Then click save.

Now register_globals is turned OFF in ALL subfolders!

This code/solution is not originally by me but comes from this link: Click here. I will not take the honor of this code, but I felt like it was relevant to post it here.
Edited by lihuyt (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.