CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • ini_set() is disabled by my hosting, what is the security issue?
Pages: [1]

Author Topic: ini_set() is disabled by my hosting, what is the security issue?  (Read 3267 times)

macaruda

  • I’m new here
  • *
  • Posts: 4
  • Karma: 0
  • CiviCRM version: 4.2.1
  • CMS version: Wordpress 3.4.2
  • MySQL version: 5.5.25-cll
  • PHP version: 5.3.16
ini_set() is disabled by my hosting, what is the security issue?
October 01, 2012, 02:45:36 am
Hi everyones, i got this problem on my installation.

Warning: ini_set() has been disabled for security reasons in .....

a chat with my hosting company reveals that it is dangerous to enable ini_set(). so what do i say to them to get this setting back
or is there any other way around? seeing that a lot of civiCRM function use this... its getting complex for for me to understand.

google search show that it can be used to bypass login. last week got my admin ID's removed, in fact all wordpress user removed (wordpress 3.3 with civiCRM 4.1, i have since re-install wordpress to 3.4 and civiCRM to 4.2 currently). so is it has something to do with this ini_set() ?

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ini_set() is disabled by my hosting, what is the security issue?
October 01, 2012, 03:30:48 am
Hi,

It allows to modify configuration info, so for instance how long or how much memory can a script use.

On the super cheap hosting, disable it avoids that one script eats all the resources, hence the "security" I suppose.

It has nothing to do with your problem with the admin id removed (or bypass login) that seems to be a separate problem

It is in general not worthwhile trying to host civi on a cheap hosting, things like civimail needs resources, more than they are willing to give. I don't know your host, but might be worthwhile switching now.
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

macaruda

  • I’m new here
  • *
  • Posts: 4
  • Karma: 0
  • CiviCRM version: 4.2.1
  • CMS version: Wordpress 3.4.2
  • MySQL version: 5.5.25-cll
  • PHP version: 5.3.16
Re: ini_set() is disabled by my hosting, what is the security issue?
October 01, 2012, 04:07:42 am
Hi Xavier,

this happened when i preform merge duplicate contact


Warning: ini_set() has been disabled for security reasons in Request.php on line 712

Warning: ini_set() has been disabled for security reasons in Request.php on line 915

Warning: ini_set() has been disabled for security reasons in Request.php on line 917

Warning: ini_set() has been disabled for security reasons in Request.php on line 769


do anyones hehe have succesfully convince your cheap hosting to enable ini_set() , please share your experiance

macaruda

  • I’m new here
  • *
  • Posts: 4
  • Karma: 0
  • CiviCRM version: 4.2.1
  • CMS version: Wordpress 3.4.2
  • MySQL version: 5.5.25-cll
  • PHP version: 5.3.16
Re: ini_set() is disabled by my hosting, what is the security issue?
October 01, 2012, 04:15:55 am
Quote
But depending on your PHP configuration, this may not be necessary! PHP’s much-reviled magic quotes feature is enabled by default in current versions of PHP. This feature, which can be disabled by setting the magic_quotes_gpc php.ini variable to Off, will automatically apply addslashes to all values submitted via GET, POST or cookies. This feature safeguards against inexperienced developers who might otherwise leave security holes like the one described above, but it has an unfortunate impact on performance when input values do not need to be escaped for use in database queries. Thus, most experienced developers elect to switch this feature off.


is this the issue they're talking (my hosting) or they just bluff me, to hide resources issue on cheap hosting.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ini_set() is disabled by my hosting, what is the security issue?
October 01, 2012, 04:26:55 am
It isn't enabled by default in the current version of PHP (it is deprecated in the current version and will be removed on the next one).

Quote
There is no reason to use magic quotes because they are no longer a supported part of PHP

The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

anyway, we are using ini_set for different purpose and civi doesn't need nor want magic quote. if it is enabled, it will brake things.
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

macaruda

  • I’m new here
  • *
  • Posts: 4
  • Karma: 0
  • CiviCRM version: 4.2.1
  • CMS version: Wordpress 3.4.2
  • MySQL version: 5.5.25-cll
  • PHP version: 5.3.16
Re: ini_set() is disabled by my hosting, what is the security issue?
October 01, 2012, 08:46:26 pm
thanks xavier,
i'll try to convince them about this, in summary - civiCRM is secured against any current sql injection issue, right?
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • ini_set() is disabled by my hosting, what is the security issue?

This forum was archived on 2017-11-26.