Register Globals....ON!?!

[Starteck2002]

I just went to install this script and got the message 'Register Globals .......... WHMCS requires Register Globals to be On for it function correctly. These can be enabled in a .htaccess or php.ini file in your WHMCS Directory'

 

Can you tell me if you plan to stop requiring Register Globals = ON? Not only is this a security risk, PHP6 will not include 'register globals' anyway.

 

I was really looking forward to this as an alternative to ClientExec but don't want to put my servers at any more risk than is really necessary.

 

http://forums.cpanel.net/showthread.php?t=50398&highlight=register_globals

[Adam]

Hey,

 

Register Globals is a requirement in order to run WHMCS. Register Globals alone is no security issue. The myth that states it is an issue is one that's been around for a long time but is not really true. There is only ever an issue if there is bad coding. Say for example the user authentication system for the admin area was simply:

 

if($authorised){ dosomethingsensitive(); }

 

Then of course a user could just do ?authorised=true on the end of the URL and then they've got access to run a command, but it's not. All input by WHMCS is properly checked and validated before being used and there aren't any kind of loopholes like that in the login system.

 

There is no need to worry having Register Globals on in your WHMCS directory.

 

From,

Adam

[MACscr]

its still lazy coding to requiring them on, and thats not a myth. Its also kind of shooting yourself in the foot as some hosts dont allow you to turn register_globals on.

[Adam]

its still lazy coding to requiring them on, and thats not a myth. Its also kind of shooting yourself in the foot as some hosts dont allow you to turn register_globals on.

 

I don't think so, my Live Support program (that I modified), I used Re. globes and it works fine. No hacks or anything (tested it out my self as well with another programer), and it's not lazy coding, nor can it be hacked.

 

Also you don't have to have your host turn it on for you, you just make a .htaccess file with one line of code and PHP reg. globes in enabled for that floder. So in WHMCS just put it with the index.php file and your good to go. Now I don't think thats hard at all?

 

From,

Adam

[MACscr]

Not all hosts allow you to override their php.ini settings. Plus I will stay in agreement with php.net and zend about security and coding styles.

 

P.S. Maybe im thinking of some other host that posts here, but wasnt your server hit with a worm yesterday? It probably has nothing to do with php, just making a point.

[Adam]

P.S. Maybe im thinking of some other host that posts here, but wasnt your server hit with a worm yesterday? It probably has nothing to do with php, just making a point.

 

Yes my server was hit with a worm, which was not caused by PHP at all, and what point is that?

 

From,

Adam

[xxkylexx]

Not all hosts allow you to override their php.ini settings. Plus I will stay in agreement with php.net and zend about security and coding styles.

 

Taken directly from PHP.net:

 

Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

 

 

Kyle

[Harrison]

TBH, I doubt Matt would use it, if it was insecure.

[numberz]

its still lazy coding to requiring them on, and thats not a myth. Its also kind of shooting yourself in the foot as some hosts dont allow you to turn register_globals on.

 

I must agree that when i see a script thats requiring reg. globals on that it was someone being lazy when making the script.

[eger]

I know this is an old post. But it doesn't seem the original question was ever answered by Matt and I have the same question.

 

I am also curious if there are any plans to move away from register globals so that one day (maybe a far distant version) might not require them?

[Matt]

Of course, PHP6 doesn't have register globals so by the time that is released, WHMCS won't need them.

 

Matt

[jerett]

For those that feel it is lazy programming - I would just suggest you move on then and develop your own script that works just the way you see fit. It is a myth and is not lazy coding. WHMCS is a well designed and constructed script that works the way it should with little to no issues at all. Turning your reg globals on in your htaccess is simple and does not interfere with any other script or client.

 

Why do people continue to complain about nothing is besides me.

[atDev]

What in WHMCS requires this to be on anyways?

[Adam]

Hey,

 

Here is a link from the knowledgebase of WHMCS which answers most of your questions with out needing to contact anyone!

 

http://support.whmcs.com/knowledgebase.php?action=displayarticle&catid=3&id=1

 

From,

Adam

[trine]

What in WHMCS requires this to be on anyways?

 

It's the way some of the EGPCS (Environment, GET, POST, Cookie, Server) are used in the script, instead of using superglobals for retrieving external variables. It is based on the script being developed some time ago, where it was standard practice. As far as being secure, as long as all the input it sanitized, globals on should not present any more security issues than with it off.