register_globals solution

**poiXoN** · 12-01-2004, 04:33 AM

Take a look at this link for help with those register_globals problems in OSC.

http://www.oscommerce.com/community/...gister_globals

I am running an install of OSC2.2MS2 now with this code patch and it seems to be working fine (Admin and Catalog both). Mind you, I am new to OSC (about 10 hours) and haven't done extensive testing.

You should *ALWAYS* turn register_globals OFF (default) in your php.ini file(s). This syntax is deprecated in future versions of PHP for severe security flaws/reasons. For those of you who don't know about this, I found this article to be helpful:

http://www.scit.wlv.ac.uk/~jphb/sst/...r_globals.html

BTW in the latest CVS of OSC the register_global issues are being fixed (updated for security reasons). Read here (ID 49):

http://www.oscommerce.com/community/workboard

I installed CVS tonight and the install went fine with globals off. Admin was still broken.

Now I have a question for the seniors here:

Does this OSC fix/contrib (top of this msg) look like it will work with OSCMax?

I am very curious about Max. It looks like it will be easier to MOD its appearance.

Thanks, and Good Luck peeps.

poiXoN

**michael_s** · 12-17-2004, 07:31 PM

Hi,

I am not sure if this will break any mods in max. I have put this on my short list to test. It is a great security enhancement, for sure. I appreciate the post.

**Celadore** · 11-26-2005, 07:42 AM

Thanks for the post, I could have spent hours trying to fix this!

**jpf** · 11-26-2005, 02:25 PM

The easies way to fix this would to turn register_globals=on

If your virtual host has is't own php.ini then edit it your self or ask the host - most can do that for you.

**adromidon** · 11-27-2005, 06:10 PM

if you have a jerk for a host like me that is impossible they will not edit ini files for anyone

**michael_s** · 11-27-2005, 07:24 PM

Try setting a flag in your htaccess to turn on register globals for your account. It may work:

php_flag register_globals on

but of course, it may not. It is worth a try.

**jpf** · 12-04-2005, 08:55 AM

Originally Posted by adromidon

if you have a jerk for a host like me that is impossible they will not edit ini files for anyone

Move hosts - for as little as 60.00 a years...I have TWO great suggestion---

The person who host mine (each site VM has it's own php.ini you can edit - the owner is very flexable - with okay support) - just under $63.00 a year.

As well as AABOX is a great solution (and has a special now for as low as $60/year)- best of all it already is optimized for OSCMAX! (you have to instal oscmax your self for $60 - but that is not hard)
http://aabox.com/hosting_specials.htm

BOTH ARE VERY GOOD PEOPLE THAT HELP THERE CLIENTS - NOT LIKE THE JERKS (that know jack sh**) THAT "BUYS" A BOXED HOSTING COMPANY (RESELLER) PACKAGE THAT THEN CALL THEM SELVES A HOSTING COMPANY!

Any one can aford to jump ship for about $60 for a whole year of hosting! (Unless you got a free site - but that is a whole other headack!)

**fmtaylor** · 12-25-2005, 11:04 AM

Personally I don't think that switching hosting companies is a good solution. Register globals OFF is for a good reason. I can just imagine what I could do to a site that thinks security is secondary.

The response I got from my hosting provider is "wait, if you are going to as about register _globals, we offer classes in proper code design and security for as little as $120/hr. If you need register globals on, then you need to re-evaluate your code design. Sorry, and don't ask again."

And I respect them for that. These guys are not just a bunch of johney code latelys either, learn a little PHP and think they can code. These guys actualy write software, the kind that handles real business data. Not that online shopping carts are not a real business..........

Look at me, my first post and I go insult people, sorry...

**jpf** · 12-31-2005, 10:25 PM

Originally Posted by fmtaylor

Personally I don't think that switching hosting companies is a good solution. Register globals OFF is for a good reason. I can just imagine what I could do to a site that thinks security is secondary.

The response I got from my hosting provider is "wait, if you are going to as about register _globals, we offer classes in proper code design and security for as little as $120/hr. If you need register globals on, then you need to re-evaluate your code design. Sorry, and don't ask again."

Don't want to fry you or you host - but register globals on can be achieved with proper checking...which what OSC does. BAD CODING with it on is dangerous......OSC is not badly coded. Just means if you want it OFF it need ALOT to be rewritten - as MUCH of the code originally predates when the replacement functions was included (php2 and early php3...) They properly traps all there globals. OSC was coded to be php3 compatible.

There is above a link to a "PATCH" that allow it too be run if turned off - but WILL NOT run on site with it on. ANY added code would ALSO have to be recoded.....

Feel free to apply the patch - or get the latest OSC MS3 daily (there is no final version yet) as this has it turned off - and ALSO need php4+....

$120/hour to TEACH php - give me a break....(better yet a ski mask and a plastic gun and I could to the same to you).

For HALF of that amount I can have you hosted with a number of other HOSTS who have awesome support (and a great net connection too)...

Except for DNS changed to populate - I can have you hosted elsewhere in 15 min or less.... Switch! It's cheaper faster and better....

The statement they made of globals - is typical of arrogant people/hosting co.. who DON'T listen to their customers and DON'T bother to ACTUALLY LOOK at what there customer wants. Don't encourage these types of companies.

Look at me, my first post and I go insult people, sorry...

I don't want to insult people - and a host should listen to there customers and evaluate their point. They exist cause of their customer. Without there customers they are nothing but they will end up as vaporware. (IMHO - sorry).

With a little reading they will find out what the "security" problem relates to "IF you program BADLY....and leave the HOLE open...."

And MANY people - specially "novice" people (or OLD hags like me with bad coding habits....) don't know all the tricks/problems/shortcut.... they tend to write or have poor coding skills...

10,000's OSC (and many other variants) installs can not be wrong – in fact the MS2 base even had a recent update which included a security audit (w/contact us security hole and PHP5 fixes among many other things...) But still has globals turned on (no problems found with it) as there is NO security hole in the way it is coded.

When (more like IF) OSC (which is NOT us) freezes and releases the MS3 and people update a bunch of the 1000+ MODS/CONTRIBS then we will move to that code base ourselves... BUT until then MS2 code base requires it OFF and does not have ANY problems with that....

What it boils down to: (in no typical order)
A-Move hosts (quickest/cheapest/easiest and many other 'est)
B-Use MS3 DAILY (steap hill if you want to add any contribs/mods)
C-Use MS2 with register globals on (or OFF with patch above-but same proble as option B w/MS3)
D-Use some other software that COST more (and may have less options/flexablity)

Good Luck!