[pmwiki-users] Turning off register_globals using ini_set()
Patrick R. Michaud
pmichaud at pobox.com
Wed Jan 3 10:10:10 CST 2007
On Wed, Jan 03, 2007 at 04:51:55PM +0200, Athan wrote:
> "Jason Frisvold" <xenophage0 at gmail.com> wrote in message
> news:924f29280701030633s783e2492m63c4e402dba1772c at mail.gmail.com...
> > Ouch.. Why would your provider do this? I'm guessing another hosted
> > site needed it.. Have you tried informing them of the dangers of
> > register_globals?
>
> You're right, register_globals cannot be set with ini_set().
The full answer is that setting register_globals with ini_set()
doesn't have any effect, because register_globals is processed
before a PHP script is run. So, by the time the ini_set() is
executed in the PHP script, the variables have already been set.
However, running with register_globals "on" shouldn't be of great
concern with PmWiki. One of the first actions that the pmwiki.php
script performs is to see if register_globals has been enabled,
and if enabled then PmWiki explicitly unsets all of the variables
that were set by register_globals (lines 32-36 of pmwiki.php).
So, even if the provider runs PHP with register_globals enabled,
you're still pretty well protected under PmWiki.
And, there's always the http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer
page, where PmWiki can look at your site's settings and report on
various potential configuration issues.
Pm
More information about the pmwiki-users
mailing list