Question about register globals

Curiosity question here really...

I am planning on adding an app that someone else created to my site, but they require register globals to be on for it to function.

I understand that Threads works better with it off and if it is on there is a potential security risk. I plan to read up more on what register globals is in more detail, but I was curious to hear what you all thought about running with it on.

Is it bad? Good? Don't know? Don't care?

And, is there a way to run it both on AND off on the same server, but for different apps? (I'm fairly sure the answer is no, but I thought I'd toss the question out there anyway.

)

Looking forward to your thoughts and comments.

For the second part of your question. If you can use .htaccess files then you can enable/disable register globals on a per directory basis with:

php_flag register_globals on

or

php_flag register_globals off

As for my thoughts of running with it on. It depends on how the application is coded. If coded properly, running with register globals on isn't a big deal, but most applications don't quite cut it in this regard.

Here's the problem. Say you have a little script that looks like this:

Code

<br /><?<br /><br />$a = 1;<br />$b = 2;<br /><br />if ($a + $b = 4) {<br />   $c = 1;<br />}<br /><br />if ($c == 1) {<br />   echo "Hey, my math sucks, cuz 1 + 2 does not equal 4!";<br />}<br />?><br />

Now, normally what you'd expect to happen is nothing. Since $a + $b never equals 4 that echo statement will never be executed. But, with register globals on, all somebody would have to do would be to call your script like this:

http://www.yourdomain.com/scriptname.php?c=1

That injects the value for $c right into your script. Even though bit of code that sets $c in your script never gets executed. The problem is, that $c is never predefined and this is the problem with alot of scripts. Properly coded, that script would look like this:

Code

<br /><?<br /><br />// Predefine some variables<br />$c = 0;<br /><br /><br />$a = 1;<br />$b = 2;<br /><br />if ($a + $b = 4) {<br />   $c = 1;<br />}<br /><br />if ($c == 1) {<br />   echo "Hey, my math sucks, cuz 1 + 2 does not equal 4!";<br />}<br />?><br />

So now, even if register globals are on and someone tries to pass $c via the url, the script sets it to 0 at the beginning so that echo line will never be executed.

Hopefully, that makes a bit of sense. I can program but I can't explain things worth a pile of beans

Good enough for me Scream.

A friend and I sat down and looked at the app... then we coded the need for register globals right out of the darn thing.

But knowledge is good and I appreciate the answer. No register globals for me at this point.

Oh and btw, regarding the .htaccess... isn't that a Linux thing? I'm running on WIN2K, so, don't think it would work, unless I'm mistaken.

Thanks again!

If you are on Win2K, You would need to be running Apache on their instead of IIS if I'm not mistaken.

okay heres a question.. how does UBBT pass the $config['yadayada'] variables from script to script? Through cookies? Sessions? Get and Post Http? Globals?

At the top of each script you'll see where main.inc.php is included. That script includes all the config files, theme files, etc. that construct the config array and makes all of the config variables available to the script.

cool thanx. yeah think I found that and am playing with " vs '...

Yes it does work but you need as Ron said to be running Apache and have enabled the mod_rewrite module.