register_globals

[xxkylexx]

I know I had to enable register_globals via my .htaccess during the install, but is this something I can turn off now? I have read that it can be a security issue.

 

 

Kyle

[Matt]

No,

 

Register Globals is a requirement in order to run WHMCS. Register Globals alone is no security issue. The myth that states it is an issue is one that's been around for a long time but is not really true. There is only ever an issue if there is bad coding. Say for example the user authentication system for the admin area was simply:

 

if($authorised){ dosomethingsensitive(); }

 

Then of course a user could just do ?authorised=true on the end of the URL and then they've got access to run a command, but it's not. All input by WHMCS is properly checked and validated before being used and there aren't any kind of loopholes like that in the login system.

 

There is no need to worry having Register Globals on in your WHMCS directory.

[lugz]

My host suggested that I put the following in a php.ini file in the public_html folder:

 

register_globals = On

 

I did this and the install still says that the register globals test failed. Is there something I have wrong here or another way to do this?

 

Thank you

[Matt]

Using php.ini files like that only enable register globals in the folder you put them in. For WHMCS to function properly, you would need to put the same php.ini file into every one of your WHMCS folders.

 

Matt

[Volt.Networks]

Yeah, it took me a while, but just FTP it to every folder.

[xxkylexx]

Actually you don't need it in every folder, just every folder that contains .php files.

[lugz]

Thank you. I'm guessing this may be one of my problems. I think I need some help. Makes me appreciate the installation service.