Hi,

in the home directory I put .htaccess with "register_globals 0".
Obviously, all php-files from this directory will not take variables
from the address line. But, as far as I understand, the .htaccess
files influences on all files in the subdirectories so that they also
cannot take the variables from the address line. Should it be like
that?

On Tue, 15 Jan 2008 02:13:49 +0100, Kurda Yon <kurdayon [at] yahoo.com> wrote:
> in the home directory I put .htaccess with "register_globals 0".

php_value register_globals 0

At least, that's what Apache likes here.

> Obviously, all php-files from this directory will not take variables
> from the address line. But, as far as I understand, the .htaccess
> files influences on all files in the subdirectories so that they also
> cannot take the variables from the address line. Should it be like
> that?

That's how it's supposed to work yes, if the starting script is there.
Keep in mind that if the requests originates from somewhere else with
register_globals on possible includes from this dir will also have it
enabled.
--
Rik Wasmus

> That's how it's supposed to work yes, if the starting script is there.
I am not so familiar with the terminology. What do you understand
under the "starting script"?


> Keep in mind that if the requests originates from somewhere else with
> register_globals on possible includes from this dir will also have it
> enabled.
Do you mean "user request of a php page" or something else? If first,
what do you understand under "request originates from a directory"?

Kurda Yon wrote:
>> That's how it's supposed to work yes, if the starting script is there.
> I am not so familiar with the terminology. What do you understand
> under the "starting script"?
>
>
>> Keep in mind that if the requests originates from somewhere else with
>> register_globals on possible includes from this dir will also have it
>> enabled.
> Do you mean "user request of a php page" or something else? If first,
> what do you understand under "request originates from a directory"?
>
>

If a script include()'s another, then all variables in the called script
will be affected by the setting of register_globals.

-thibī

Kurda Yon wrote:
> Hi,
>
> in the home directory I put .htaccess with "register_globals 0".
> Obviously, all php-files from this directory will not take variables
> from the address line. But, as far as I understand, the .htaccess
> files influences on all files in the subdirectories so that they also
> cannot take the variables from the address line. Should it be like
> that?

Honestly if your host has register globals turned on, you really need to
be changing host. That's a big sign of improperly configured settings
and a major security risk. If your the owner of the server, you need to
turn register globals off by the main php.ini immediately.

Same goes for PHP4, any host not at least offering both at the same time
is a good sign its time to change host (FYI: PHP4 Is not even supported
anymore, as PHP5's been out for 4 years and PHP6 is due for release in
August).

And if your in a phpSuExec enviroment (which is a very good thing, as
its alot more secure and easier to access files without worrying about
proper chmod enabling your files to other users, and would be very odd
to have this but also have register globals on), you would not use
..htaccess, you would place a php.ini inside of the directory with your
scripts.

The only downside to the phpSuExec method of placing a php.ini in the
directory is that, if i recall correctly, it does not take place for sub
directories.

--
Daniel Ennis
faNetworks.net - Quality Web Hosting and Ventrilo Services
System Administrator / Web Developer
PHP Developer for 6 years
daniel [at] fanetworks.net

On Tue, 15 Jan 2008 02:40:03 +0100, Kurda Yon <kurdayon [at] yahoo.com> wrote:

>> That's how it's supposed to work yes, if the starting script is there.
> I am not so familiar with the terminology. What do you understand
> under the "starting script"?
>
>
>> Keep in mind that if the requests originates from somewhere else with
>> register_globals on possible includes from this dir will also have it
>> enabled.
> Do you mean "user request of a php page" or something else? If first,
> what do you understand under "request originates from a directory"?


Look at it like this, in example.com you have 3 dirs, with each a file:
/dir, which holds script.php
/dir/sub, which has a .htaccess file
/dir/sub/foo which holds otherscript.php

If the user enter with the url example.com/dir/sub/foo/otherscript.php,
register globals will be off, if the user enters with the url
example.com/dir/script.php, and that include()'s otherscript.php, the
entire code in both files will be run wi8th register global on.
--
Rik Wasmus