Announcements
Important Notice - Register Globals
05/08/2009 07:01
Please check and test your website tomorrow (6 August 2009) and let me know if you have any problem.
This will ONLY apply to clients with PHP websites and plain HTML websites will not be affected.
The reason for this is that we are going to switch Register_Globals OFF on our servers tonight and with the current setting being ON there might be a change that some parts of PHP coding will no longer works.
I will try to explain in plain terms what is what.
PHP is a website programming language with a setting “Register_Globals ON / OFF” since PHP Version 4. At this moment Version 4 is already regarded as “outdated” and almost everyone already switched to PHP Version 5.
The Register_Globals setting is a security feature that prevent hackers from injecting SQL commands to hack a website but because it require changes to website php coding many ISP’s choose not to switch register_globals off and rather implement it at a later stage.
You can compare it to the switch to Unleaded Petrol where most cars can use unleaded petrol while the others require minor changes.
Just as you can choose to use leaded or unleaded petrol you can also choose to use register_globals on or off so it’s not really a big problem. (But obviously the best is to fix php code that require register_globals ON)
What register Register_Globals do.
When you submit a form or interact with a database you get for example a command like this. (It’s not really like this but easier to understand)
Select from database and display “birth-date” of user “Piet”
With register_globals ON and the method is POST the server will execute above command as an URL to other page that process the command.
http://www.website.com/index.php?view=”birth-date” and user=”Piet”
But a hacker can change it to looks like the following and the risk is obvious.
http://www.website.com/index.php?view=”password” and user=”Piet”
With register_globals OFF it’s not possible because the website programmer are forced to code more secure and SPECIFY the variable such as “birth-date” at the RECEIVING end so view=”birth-date” will still works but view=”password” will not.
In other words register_globals ON trust that the Programmer’s code is secure against sql injections and execute commands as is but register_globals OFF don’t and actually check to see whether variables are declared or not.
According our logs our server security firewalls block MANY sql injection hacking attempts on regular base and with that in mind we finally decided to turn register_globals OFF and deal with problems with old and outdated scripts and php programming as it comes.
Quick Navigation
Search