Problem with 1.5.2 with regard to PHP’s “register_globals”

I think most people’s advice would be to revise your script rather than using the old wp-settings.php file. This was changed because of a security issue, which has been exploited on people’s sites.

Using the old file leaves your site vulnerable – not recommended.

The register_globals exploit that was fixed in WP v1.5.2 was not WordPress-specific. It is a vulnerability in all PHP scripts which make use of register_globals. In fact, most experts believe that register_globals is nothing but a big security hole that should be disabled as a default security precaution on all servers. So, LesBessant is right, you really should revise your script.

The script is not mine, unfortunately. ?? It was downloaded from elsewhere, and is pretty essential in helping me keep track of my site.

Well, I was looking through the entire script (it is made up of a bunch of files, and it calls one another using the $DOCUMENT_ROOT variable) and due to my negligible PHP knowledge, I couldn’t really do anything. *blushes*

Unless someone is able to help me find an alternative way to code this? ??

<?include_once($DOCUMENT_ROOT.”/useronline/addonline.php”);?>

There are several more $DOCUMENT_ROOT-s in all the other script files as well which I need to replace in order for it to work well with the latest WordPress release. ??

You can replace all instances of $DOCUMENT_ROOT with $_SERVER['DOCUMENT_ROOT'].

register_globals takes the super-global variables and makes the individual components of each super-global array into a unique variable. It does a lot more than that, too, so feel free to read the link above.

If this is all you require from register_globals, then it’s pretty easy to search-and-replace your way through the fix. It’s when you code an entire script with the expectation that register_globals is enabled that you have more trouble.

Eh… I apologise, but I have absolutely zero (or almost) knowledge of PHP and so I couldn’t really understand the articles there.

According to the article, the “Document Root” is defined as:
The document root directory under which the current script is executing, as defined in the server’s configuration file.

If the configuration file is coming from the server, why did the $DOCUMENT_ROOT suddenly change to the WP themes directory? :X

If the above question I posed sounds stupid, don’t forget that this is coming from a PHP idiot like me. ??

Anyone willing to coach me one on one through MSN? :X I will be extremely grateful to you.

If
<?include_once($DOCUMENT_ROOT."/useronline/addonline.php");?>

is the only occurence, replace the line with
<?include_once("https://example.com/useronline/addonline.php");?>

where “example.com” should be replaced with the right url (the url of your site)

else replace the “DOCUMENT_ROOT” with what skippy suggested.

Skippy was suggesting a quickfix, and then suggesting that you can read up some references, only if you have the penchant for these things, else it is okay to skip the reading ??

Hi carthik! I have tried replacing it with the following code before:

<?include_once(“https://example.com/useronline/addonline.php&#8221;);?>

but it didn’t work.

I will now try replacing all the “$DOCUMENT_ROOTS” with “$_SERVER[‘DOCUMENT_ROOT’]” and hope for the best. ??

Just to check, $_SERVER[‘DOCUMENT_ROOT’] should work on ALL pages including non WP static pages, right? ??

Because now all my WP main page is logging fine in the script while my static pages aren’t. ??

Where have I gone wrong?

Maybe you should try contacting the folks who wrote the logger, since we don’t know much about it, besides what you have let us know.

I don’t even know who wrote the logger, because it was from a friend who claimed it was written by someone else.

Ah well. Thanks for the help rendered. At least the problem is partly solved now, as in, the logger is now logging all accesses to the WP mainpage whereas it isn’t logging the other static pages, unlike not even logging at all before we started.

You may want to try an alternative logger, like ShortStat. The current version can be found here: https://www.shauninman.com/plete/2005/01/nofollow-the-leader

There are also several statistics plugins for WordPress, but they will not be able to log visits to your non-WordPress pages.

https://codex.www.ads-software.com/Plugins/Statistics

Mmm… sounds good! I’ll look into that. Thanks Macmanx! ??

Actually, I was looking at an alternative way on how to disable register_globals via a .htaccess file.

https://www.taskspro.com/documentation/register_globals.html

How is this different from the method implemented by WordPress?

Unfortunately, the .htaccess trick may not work with some hosting providers, because it is common practice for shared hosting providers to disable the php_flag variable. Upgrading to WordPress v1.5.2 is a much better solution, because you can do it under any hosting provider, and it won’t affect your ability to run other scripts which require register_globals.