Help please it does not work..

**ajfmrf** · 12-14-2011, 04:51 AM

Again I have found a second free keno game that won't work.

Can anyone help explain the issue here:

web-user.info/games/keno/B/keno.html
web-user.info/games/keno/B/keno.js
web-user.info/games/keno/B/Read_First.txt
web-user.info/games/keno/B/playkeno.php
web-user.info/games/keno/B/playkeno.txt

Is this the same as the other one."Your server has got register globals off".You have to turn them on to get it to work?

The other script needed that done but my host said it would be a security risk

Bud

**jscheuer1** · 12-14-2011, 05:04 AM

It could be. I'm not sure under which circumstances or if that game program would be safe or not. See:

http://www.php.net/manual/en/security.globals.php

for information on Register Globals.

You could get another host, many - or at least some come with Register Globals on by default.

**ajfmrf** · 12-14-2011, 05:55 AM

John,I have been search like a nut and found two I like but it appears that they both require me to use the 'register globals' to be on and I am not willing to do that.

Any suggestions-know where I might find one-lol

Thanks,again John

**djr33** · 12-14-2011, 07:43 AM

Register globals is a setting that takes the contents of several standard arrays of information and makes them into real variables.

It's possible to imitate this (if a little awkward) by doing it manually.

Loop through each of the arrays and create a new variable by that name. It's something like this:

PHP Code:


$arrays = array('_GET','_POST','_COOKIE');
foreach($arrays as $array) {
     foreach($$array as $varname=>$varvalue) {
          $$varname = $varvalue;
     }
}

If you want to use this, put it at the very beginning of everything. That will simulate register globals, which runs before anything else.

I'm not recommending this necessarily. It IS a security risk. But if that's what the (bad) coding of the script you want to use requires, there's no easy way around it.

It's not necessarily just cookie, post and get. And I'm not sure what order they are supposed to go in. Technically there's an order for this so that if you have, for example, a variable with the same name in GET and POST, then one or the other will be stored second, causing the other to be over-written. You can look that up if it matters.

Secondly, this script may only require a certain subset of the above values. For example, maybe you only need POST.

Additionally, $_REQUEST includes all of those combined. So you could just use this:

PHP Code:


foreach($_REQUEST as $varname=>$varvalue) {
     $$varname = $varvalue;
}

I'm not sure if there's any difference. Maybe that's better because it's simpler.

Finally, if you can track down the individual values it requires (the actual variables it uses) then you can "fix" the script by ONLY globalizing those values. It's safer than globalizing all of them.

Here's the reason for it not being safe:
Let's say you have a variable called "$admin" where a value of 1 means the user is an admin. If you have register globals on (or this fake version of it), then if the user submit a url ending with ?admin=1 then that value from the GET array will become the new value for the real variable $admin and bypass your security.
A well written script should still in theory be protected from this, but it's very easy to forget something.

Finally, another way to do this safely would be the following:
Create a local context within a function. Then "globalize" the variables there-- using the functions I gave above. They won't actually be global-- they'll be local, but they will be available as those names ($variable, rather than $_GET['variable']). That should work for your script. Just remember that you'll need to run your script within the function.
This will be a dummy function. It will look like this:

PHP Code:


function dummyfunction(){
 //place ALL of your code here that is for THIS script.
 //keep any security code, system configuration stuff, etc., outside the scope of this function (the normal way) and it will be safe from register globals interference
}
dummyfunction();

**traq** · 12-14-2011, 03:32 PM

if there's a notice about "register_globals," then the script is probably performing a check for that specific setting, so making a workaround might not make any difference.

**jscheuer1** · 12-14-2011, 03:39 PM

Ah, but if a workaround is achieved, that check could be removed.

**djr33** · 12-14-2011, 06:57 PM

That's true. You can check specifically whether register_globals (the configuration setting) is on. But finding where it checks and removing that is probably possible. Of course without that error you will need to be sure you've properly replaced it, since it will not work and it won't give you many helpful errors. (It might give you "$x is not set" type errors, and those could help.)

**ajfmrf** · 12-14-2011, 07:15 PM

There is nothing like 'being in over your head' as I am here,right now.

Thanks for all of the responses to my post.

How ever I don't know enough about what you are talking about to take anything to the next step.

I am sorry to have asked for help that I can not put to good use due to my inability to undestand what you are talking about.

Please accept my apology.

Bud

'clueless'

**jscheuer1** · 12-14-2011, 07:53 PM

Originally Posted by djr33

That's true. You can check specifically whether register_globals (the configuration setting) is on. But finding where it checks and removing that is probably possible. Of course without that error you will need to be sure you've properly replaced it, since it will not work and it won't give you many helpful errors. (It might give you "$x is not set" type errors, and those could help.)

If you have the raw PHP code, you could just do a search for:

register_globals

You might get lucky.

**djr33** · 12-14-2011, 08:27 PM

Bud, I understand that this is confusing, but I think you can figure it out if you take it slowly.

First, integrating this with an existing script might be hard, but if you are just using this as an independent script, it will probably be fine.

The first change you should make is the following. Add this code to the top of your page where you include the other pages:

PHP Code:


foreach($_REQUEST as $varname=>$varvalue) {
     $$varname = $varvalue;
}

Then see if it works.

If it does not, then search through as John just described and try to find where it checks for register_globals-- then try to remove that line. If you need help at that point, post the code that checks it. An easy way to disable it (without messing with anything else) is the following:

Take any if statement:
if ($variable==TRUE) {

Then add a condition that will always be true:
if ($variable==TRUE || 1==1) {

That way you avoid changing the code, but it also will never be false.