register_globals=on

[proudly]

I was reading a book and I saw that paragraph

''The only trick to these settings (..on php.ini)it that if you choose to use legacy software written inPHP, it may very well require that register_globals and/or register_long_arraysbe turned on. In this case, you must decide whether using the software is worth thesecurity risk.You can mitigate this risk by checking frequently for security patches andother updates for such software''

 

The author does n't explain what could be the ''security risk''. Could anyone explain?

Edited March 8, 2015 by proudly

[Ingolme]

I can't imagine any decent software old enough that it would need register_globals to work.

 

The security risk is that the user can set the value of any variable on your script and make your program behave in an unexpected manner. This may be a problem depending on how the program is built.

[proudly]

if register_globals is set to off, can someone use freely the software or not? Also if register_globalls is set to off, the risk is eliminated or not, and then the page is readable and working well?

 

the prevous abstract is from the book ''PHP and MySQL Web Development'', Fourth Edition by Luke Welling and Laura Thomson, page 380

Edited March 9, 2015 by proudly

[justsomeguy]

if register_globals is set to off, can someone use freely the software or not?

Well, if it requires register_globals to work, and you have that option off, then the software isn't going to work.

Also if register_globalls is set to off, the risk is eliminated or not

If register_globals is disabled then the problems caused by register_globals being enabled are eliminated.