Security Check Php Register_globals When installing Joomla on trap17

[matak 2]

Joomla shows this warning

 

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

 

* PHP register_globals setting is `ON` instead of `OFF`

 

Well it shows two warnings but the other one i can change.

 

Is this something i, or you should be woried about or is it normal...

[jlhaslip 4]

Now, with register_globals, I should first clarify that turning register globals on IS NOT a security risk or a bad idea. And turning it on for a local server is definitely NO security risk. RELYING upon register globals is a security risk and a bad idea but just having this setting on is fine (and very common for hosted servers).

Source

As quoted on another Forum I belong to which deals strictly with PHP and Mysql matters.

 

And the php.net page which discuses the topic is here: http://us3.php.net/manual/en/security.globals.php.

Nothing to be worried about if the variables and coding are properly managed.

 

Biggest thing to remember: NEVER, EVER trust user data. Always cleanse it using the method appropriate to the data source and the data target. Stripslashes(), html_entities(), magic_quotes_gpc all have different intentions and should be used accordingly.

[shadowx 0]

As those websites and jlhaslip said you can leave it on but i generally turn it off because as said it makes writing vulnerable code so much easier and i think it can also be a risk from SQL injection (eg putting a query into the url and having the website execute it and showing the attacker sensitive information.) The only real difference Ive ever noticed is that by having it on you have to type code like

$user = $_POST['user'];

because (as is the point with register_globals) the code will not automatically take the value of the post variable 'user' and plant it into the variable $user.

For development i also find it easier to have it off so that i must use code like above in the event that a host has it off too and i cant change that then i wont have to modify my code. And definitely use the functions jlhaslip said to make sure that input is safe(ish) for the code to use.

[farsiscript 0]

Dear matak , i think its better to use mambo script , Joomla has many bug and its not very good and secure scriptuse mambo its real cmsthanks

[michaelper22 0]

Dear matak , i think its better to use mambo script , Joomla has many bug and its not very good and secure scriptuse mambo its real cms
thanks

The Joomla project is actually a fork of Mambo, meaning some developers from Mambo said Bye Bye and borrowed the source code to make their own product (which is legally allowed under the GNU GPL). So if anything, Mambo and Joomla would constantly be competing for levels of security.
And matak, don't worry about the Register Globals warning, I run Joomla and mambo with the same thing and I have no problems.
Edited November 17, 2006 by michaelper22 (see edit history)

[farsiscript 0]

Yes Dear michaelper22I Agree Your Post about mambo and Joomla , i test mambo and Joomla with register_globals ,Thanks

[blendergalactica 0]

However, all the extentions/programs that extend mambo/joomla's functionalities have moved to joomla. Mambo doesn't have a lot left going for it at this point. That being said I haven't had any problems with Joomla thus far...

[lihuyt 0]

THE SOLUTION:

In the folder /public_html there is a file which is called .access. Edit this file and enter at the bottom of the file this line:

php_flag register_globals off

Then click save.

Now register_globals is turned OFF in ALL subfolders!

This code/solution is not originally by me but comes from this link: Click here. I will not take the honor of this code, but I felt like it was relevant to post it here.
Edited March 4, 2007 by lihuyt (see edit history)