Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Help a Lousy php Programmer

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Help a Lousy php Programmer

Old 11-16-04, 03:34 PM
  #1  
DVD Talk Hero
Thread Starter
 
CRM114's Avatar
 
Join Date: Jun 2001
Posts: 42,731
Likes: 0
Received 0 Likes on 0 Posts
Help a Lousy php Programmer

Hello there. php - I wrote some web apps a long time ago in php and I'm moving them to a new server. Suddenly, things don't work.

For instance, does the following variable not work in the newest version of php? PHP_AUTH_USER

I had a bit of simple code like so:

$user = $PHP_AUTH_USER;
echo "Howdy $user";

And even it doesn't work.

The user would log in using an htpasswd file and php would report their username back (and do all sorts of other stuff.)
Old 11-16-04, 03:36 PM
  #2  
Video Game Talk Reviewer
 
Canis Firebrand's Avatar
 
Join Date: Dec 1999
Location: Formerly known as "Vryce"/Detroit, Michigan
Posts: 13,857
Likes: 0
Received 0 Likes on 0 Posts
Sounds like your new host has $REGISTER_GLOBALS off in their php.ini file.

You have to call your variables differently with register_globals off.

Try this.


With register_globals off, $PHP_AUTH_USER is accessible as either $_SERVER["PHP_AUTH_USER"] or $GLOBALS["PHP_AUTH_USER"], and the above script works.

Last edited by Canis Firebrand; 11-16-04 at 03:42 PM.
Old 11-16-04, 03:51 PM
  #3  
DVD Talk Hero
Thread Starter
 
CRM114's Avatar
 
Join Date: Jun 2001
Posts: 42,731
Likes: 0
Received 0 Likes on 0 Posts
OK, I changed that line in the php.ini file to ON.

Is this bad?

Do I need to restart something to get it to work? I restarted Apache and it still doesn't work.
Old 11-16-04, 03:53 PM
  #4  
Video Game Talk Reviewer
 
Canis Firebrand's Avatar
 
Join Date: Dec 1999
Location: Formerly known as "Vryce"/Detroit, Michigan
Posts: 13,857
Likes: 0
Received 0 Likes on 0 Posts
Its a security risk. In the most recent releases of php, register_globals is set to off by default.

I think you have to restart the php daemon/program.


Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals:
From http://us2.php.net/manual/en/securit...terglobals.php
Old 11-16-04, 03:55 PM
  #5  
DVD Talk Hero
Thread Starter
 
CRM114's Avatar
 
Join Date: Jun 2001
Posts: 42,731
Likes: 0
Received 0 Likes on 0 Posts
Vryce - Your edited suggestion worked. Thanks.

Apparently, there is a file is MacOS X Server in /etc/ called php.ini.default

I edited that but I don't believe thats the real ini. I don't know where it is but your suggestion worked. Thanks! Now I just have to get the rest of the app to work. I don't think $REMOTE_ADDR works either.
Old 11-16-04, 03:59 PM
  #6  
Video Game Talk Reviewer
 
Canis Firebrand's Avatar
 
Join Date: Dec 1999
Location: Formerly known as "Vryce"/Detroit, Michigan
Posts: 13,857
Likes: 0
Received 0 Likes on 0 Posts
Nope.. that would be a template for php.ini
The real one probably lives in another directory, probably under /apache

or wherever your apache installation is.

The Php site is a great resourse and should be able to help get the rest of your code working with register_globals off.
It might be just as simple as calling each variable like the one in my post above incasing it in $_GLOBALS["variable"]
Old 11-16-04, 05:00 PM
  #7  
DVD Talk Hero
Thread Starter
 
CRM114's Avatar
 
Join Date: Jun 2001
Posts: 42,731
Likes: 0
Received 0 Likes on 0 Posts
This is why I do all of my scripts in Lasso now.

[username]

[password]

is all it takes.

It'll just take to long to rewrite this particular code and I don't want to do it.

Last edited by CRM114; 11-16-04 at 05:03 PM.
Old 11-16-04, 08:53 PM
  #8  
DVD Talk Legend
 
Join Date: Jun 2000
Location: NYC
Posts: 17,018
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by CRM114
This is why I do all of my scripts in Lasso now.

[username]

[password]

is all it takes.

It'll just take to long to rewrite this particular code and I don't want to do it.
Lasso is fine, provided you don't have to do anything -- and I mean anything -- complicated.
Old 11-17-04, 08:17 AM
  #9  
DVD Talk Hero
Thread Starter
 
CRM114's Avatar
 
Join Date: Jun 2001
Posts: 42,731
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Breakfast with Girls
Lasso is fine, provided you don't have to do anything -- and I mean anything -- complicated.
Like what? We do plenty of things with Lasso. I've been using it for 5 years and run our enterprise on it. Anything before Lasso 5 was a toy but Lasso 5 and now Lasso 7 is very robust now that they use MySQL as its basis and runs as a unix service.

Last edited by CRM114; 11-17-04 at 08:24 AM.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.