PHP magic_quotes_gpc
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
PHP magic_quotes_gpc
by David A. Roth
::
Rate this Message:
While moving several Joomla web sites of various versions to a new
hosting service, I noticed on the new hosting service that Joomla! 1.0.12 Stable while logged in as Admin had this message: "Following PHP Server Settings are not optimal for Security and it is recommended to change them: PHP magic_quotes_gpc setting is `OFF` instead of `ON` Please check the Official Joomla! Server Security post for more information." Not remembering if it should be ON or OFF or if it matters these days, I downloaded the latest version of Joomla and installed it to do the pre-check installation. It didn't complain about PHP magic_quotes_gpc being OFF. So my big question for this wet Saturday afternoon is, should this be OFF for all modern installations of Joomla, or it isn't a security issue anymore? Yes, I plan to upgrade all the Joomla web sites to the latest. I presume the best way to do this is follow the chain of patches? David Roth _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Gary Mort-2
::
Rate this Message:
It's not a matter of version of Joomla, but rather philosophy of PHP developers.
Turning magic quotes on sanitizes variables automatically so they have less potential for causing database injection attacks. Initially, this was suggested as "more secure" because it means the programmer doesn't have to sanitize the data. Then the problem is that big apps[like Joomla] get installed on lots of different platforms, so you can't count on it being turned on. What is worse, is that you have to use 2 different lines of code for retrieving variables based on whether magic quotes is on or off. So when you have software which can be deployed on platforms you have no control over, now one line of code has become 4, because you have to do an if/else clause for every variable retrieval. So what was initially created to aid programmers in being lazy now causes more work for programmers. Hence programmers forced to do more work inaccurately will say it is less secure because their doing more work. The long and the short of it is, magic quotes has no impact on server security. It's the PHP programming that will have that impact. On Sat, Oct 24, 2009 at 3:46 PM, David A. Roth <davidalanroth@...> wrote:
Actually, no you can't upgrade from 1.0 to 1.5 - instead you migrate. Depending on how many components you have this may or may not be painful. The way we did it recently was to create a dev snapshot of a production system. Then installed the migrator component to export all the base joomla stuff. Then we created another dev site and installed 1.5 onto it, importing the migration file during setup. Then we enabled the legacy mode plugin. I copied over the tables for some existing components[advanceSEF and Zoomgallery] and then installed the latest versions of those components to the 1.5 site. We copied over the contents of the 1.0 templates directory and those worked in 1.5 with legacy enabled. Than we updated the templates to 1.5 and turned off legacy mode. Finally once we were sure the site was correct, the dev site was backed up and restored to production. _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Gary Mort-2
::
Rate this Message:
As a side note, I hear there is no legacy mode for 1.6, so it is better to migrate to 1.5 where you can still enable legacy mode while bringing your site into full 1.5 compliance, then wait for 1.6 and have to guess on how to do it.
_______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Scott Wolpow
::
Rate this Message:
Having that exact problem with an import function for Adsmanager. Moved
to PHP server and get this error. Need to figure out how to fix this. Any ideas Gary. :) PHP Fatal error: Cannot use object of type stdClass as array in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 506, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Warning: copy([path]/administrator/components/com_adsmanager/impfiles/1-10-16-09wdn.xls) [<a href='function.copy'>function.copy</a>]: failed to open stream: Permission denied in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 358, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 4 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 397, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 5 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 398, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 9 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 405, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 14 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 412, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 15 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 413, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 16 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 414, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 17 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 416, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 18 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 418, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import PHP Notice: Undefined offset: 19 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 420, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import On 10/24/2009 4:39 PM, Gary Mort wrote: > It's not a matter of version of Joomla, but rather philosophy of PHP > developers. > > Turning magic quotes on sanitizes variables automatically so they have > less potential for causing database injection attacks. > > Initially, this was suggested as "more secure" because it means the > programmer doesn't have to sanitize the data. > > Then the problem is that big apps[like Joomla] get installed on lots > of different platforms, so you can't count on it being turned on. > > What is worse, is that you have to use 2 different lines of code for > retrieving variables based on whether magic quotes is on or off. So > when you have software which can be deployed on platforms you have no > control over, now one line of code has become 4, because you have to > do an if/else clause for every variable retrieval. > > So what was initially created to aid programmers in being lazy now > causes more work for programmers. Hence programmers forced to do more > work inaccurately will say it is less secure because their doing more > work. > > The long and the short of it is, magic quotes has no impact on server > security. It's the PHP programming that will have that impact. > > > On Sat, Oct 24, 2009 at 3:46 PM, David A. Roth > <davidalanroth@... <mailto:davidalanroth@...>> wrote: > > > So my big question for this wet Saturday afternoon is, should this be > OFF for all modern installations of Joomla, or it isn't a security > issue anymore? > > Yes, I plan to upgrade all the Joomla web sites to the latest. I > presume the best way to do this is follow the chain of patches? > > > > Actually, no you can't upgrade from 1.0 to 1.5 - instead you migrate. > Depending on how many components you have this may or may not be painful. > > The way we did it recently was to create a dev snapshot of a > production system. > Then installed the migrator component to export all the base joomla stuff. > > Then we created another dev site and installed 1.5 onto it, importing > the migration file during setup. > > Then we enabled the legacy mode plugin. I copied over the tables for > some existing components[advanceSEF and Zoomgallery] and then > installed the latest versions of those components to the 1.5 site. > > We copied over the contents of the 1.0 templates directory and those > worked in 1.5 with legacy enabled. > > Than we updated the templates to 1.5 and turned off legacy mode. > > Finally once we were sure the site was correct, the dev site was > backed up and restored to production. > > ------------------------------------------------------------------------ > > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.29/2455 - Release Date: 10/24/09 06:43:00 > > -- *Scott Wolpow* *718.275.7765* _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Helvécio da Silva
::
Rate this Message:
I suggest you go and look into the code at each and every one of these lines.
I had this problem more than once and it turned out to be a link path Dreamweaver created while I moved files around. G'luck! 2009/10/24 Scott Wolpow <scott@...> Having that exact problem with an import function for Adsmanager. Moved to PHP server and get this error. -- - - - - - - - - - - - - - - - - Helvecio "Elvis" da Silva Rio de Janeiro / New York helvecio.rj@... _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Scott Wolpow
::
Rate this Message:
Not using Dreamweaver, but thanks. It has to do with the difference
between how 4 and 5 handles certain items. Rather than muck with some custom code that was done a few years ago, which I do not get paid for, I am going to move it to a php4 machine. SW On 10/25/2009 8:24 AM, Helvécio da Silva wrote: > I suggest you go and look into the code at each and every one of these > lines. > > I had this problem more than once and it turned out to be a link path > Dreamweaver created while I moved files around. > > G'luck! > > 2009/10/24 Scott Wolpow <scott@... <mailto:scott@...>> > > Having that exact problem with an import function for Adsmanager. > Moved to PHP server and get this error. > Need to figure out how to fix this. Any ideas Gary. :) > > PHP Fatal error: Cannot use object of type stdClass as array in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 506, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Warning: > copy([path]/administrator/components/com_adsmanager/impfiles/1-10-16-09wdn.xls) > [<a href='function.copy'>function.copy</a>]: failed to open > stream: Permission denied in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 358, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 4 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 397, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 5 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 398, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 9 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 405, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 14 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 412, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 15 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 413, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 16 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 414, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 17 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 416, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 18 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 418, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > PHP Notice: Undefined offset: 19 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 420, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > > > > > -- > - - - - - - - - - - - - - - - - > Helvecio "Elvis" da Silva > Rio de Janeiro / New York > helvecio.rj@... <mailto:helvecio.rj@...> > ------------------------------------------------------------------------ > > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.31/2457 - Release Date: 10/24/09 14:31:00 > > -- *Scott Wolpow* *718.275.7765* _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Gary Mort-2
::
Rate this Message:
Is this upgraded to Joomla 1.5 or PHP 5.2?
BTW, stay away from PHP 5.3 and Joomla. It does some weeeeeird things to Joomla. On Sat, Oct 24, 2009 at 5:02 PM, Scott Wolpow <scott@...> wrote: Having that exact problem with an import function for Adsmanager. Moved to PHP server and get this error. There are 2 important errors, 1 is this: PHP Fatal error: Cannot use object of type stdClass as array in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 506, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import Which makes me think you went to 5.3 and now have some problems with depreciated functions that were removed. The other is this:
Which basically says it is copying the uploaded file from one folder to another, and it is failing due to permission issues. This could be because you didn't set write permissions on the target folder, or more likely because the other error comes from the code retrieving the target folder so instead the folder is becoming the root. Everything else is just the import routine throwing errors because the file it is trying to import does not exist. PHP Notice: Undefined offset: 4 in [path]/administrator/components/com_adsmanager/admin.adsmanager.php on line 397, referer: http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
|
|
Re: PHP magic_quotes_gpc
by Scott Wolpow
::
Rate this Message:
php 5.2.9
Joomla 1.0.X [Avi's site] On 10/25/2009 11:37 AM, Gary Mort wrote: > Is this upgraded to Joomla 1.5 or PHP 5.2? > > BTW, stay away from PHP 5.3 and Joomla. It does some weeeeeird things > to Joomla. > > On Sat, Oct 24, 2009 at 5:02 PM, Scott Wolpow <scott@... > <mailto:scott@...>> wrote: > > Having that exact problem with an import function for Adsmanager. > Moved to PHP server and get this error. > Need to figure out how to fix this. Any ideas Gary. :) > > > There are 2 important errors, 1 is this: > > PHP Fatal error: Cannot use object of type stdClass as array in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 506, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > > > Which makes me think you went to 5.3 and now have some problems with > depreciated functions that were removed. > > The other is this: > > > PHP Warning: > copy([path]/administrator/components/com_adsmanager/impfiles/1-10-16-09wdn.xls) > [<a href='function.copy'>function.copy</a>]: failed to open > stream: Permission denied in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 358, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > > > Which basically says it is copying the uploaded file from one folder > to another, and it is failing due to permission issues. This could be > because you didn't set write permissions on the target folder, or more > likely because the other error comes from the code retrieving the > target folder so instead the folder is becoming the root. error again. What next? Really do not want to port it to my old box, which I am shutting down. SW > > Everything else is just the import routine throwing errors because the > file it is trying to import does not exist. > > PHP Notice: Undefined offset: 4 in > [path]/administrator/components/com_adsmanager/admin.adsmanager.php on > line 397, referer: > http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import > <http://thewdn.com/administrator/index2.php?option=com_adsmanager&act=import> > > > > > > -- > *Scott Wolpow* > *718.275.7765* > > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > > > ------------------------------------------------------------------------ > > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.31/2458 - Release Date: 10/25/09 08:10:00 > > -- *Scott Wolpow* *718.275.7765* _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php |
| Free embeddable forum powered by Nabble | Forum Help |
