Mambo Web Development

Seeking information or support on the Mambo Content Management System? You’ve come to the right place! This site is run by Mambo experts.

Register Globals

What is register globals and why does it matter? An early feature of PHP (the scripting language used to create Mambo) was that information in the query string or in the submitted form was automatically placed in global variables ready for use by the program. This made development easier in the days when PHP aimed at people quickly writing simple scripts.

 

But crackers looked at this as an opportunity to inject values into a program in ways that were not welcome. A number of exploits were based on setting global variables to values that caused cracker software to be loaded and run.

 

Mambo 4.6 provided a variety of ways to combat this. Some attempts to set data values were directly blocked. And more control was provided over the register globals mechanism.

 

There is a configuration option to turn it on or off, which works independently of how PHP is configured. Clearly the preferred choice is to turn it off, and ideally also have PHP configured with register_globals set to no. Some old software may not run in this environment, so the option to turn on register globals was provided, but its use is not recommended. The best approach is to dispense with software that needs register globals, or get someone to update it.

 

Hosting often has register_globals turned off in the PHP configuration nowadays, and keeping the Mambo option off as well is much the best policy for a secure site.

 

These basic solutions are offered in various packages designed to suit your needs and budget. Contact us for details.