Email & register_globals

[CES]

I have a shop - www.NicheLocks.com running zencart Zen Cart 1.2.6 and everything has been great for a while.

Sometime yesterday the shop stopped sending out all emails - admin, orders, contact us.

I contacted the host - easily.co.uk today and they say they have applied a security patch on the server and register_globals has been disabled.

Question is what do I do? Can anyone point me in the right direction. I want to act as fast as I can so I do not lose any custom on a live shop.

Just had a look at my server information and it looks as if register_globals is turned on???

Code:

register_argc_argv	On	On
register_globals	On	On
report_memleaks	On	On
safe_mode	Off	Off
safe_mode_exec_dir	no value	no value
safe_mode_gid	Off	Off
safe_mode_include_dir	no value	no value
sendmail_from	me AT localhost DOT com	me AT localhost DOT com
sendmail_path	/usr/sbin/sendmail -t -i 	/usr/sbin/sendmail -t -i 
serialize_precision	100	100

Thanks

Craig

[kelvyn]

Is that the server info from your cart, or is it from the "server root" info page in some control panel?

You may need a php.ini custom file, but to be honest, if your shop was working, and now they've broken it, you need to be strong, clear, firm but polite and insist that they provide a fix or info on how to do such. Worryingly, they don't seem to have a forum.

Have you tried configuring the alternative way of sending emails in admin? ie: using sendmail instead of smtp, or vice-versa?

[CES]

Thanks for the quick reply.

It is the server info from the cart.

I added a line into my .htaccess fie and turned register_globals off and that does not make a difference.

Have you tried configuring the alternative way of sending emails in admin? ie: using sendmail instead of smtp, or vice-versa?

have not messed too much as I thought there might be a 'simple' fix first.

I saved the chat that I had with them and they suggest:

Tim Williams: Ok I believe thi might then be due to register_globals

Craig Squire: right, has it changed since the weekend?

Tim Williams: The function register_globals has been disabled specifically due to
security and performance reasons (this has stemmed from the latest
update of security patches which was recently installed on the server).

Craig Squire: OK what do I do?

Tim Williams: The use of global variables can lead to it being misused, hence global variables are no longer registered for
input data (POST, GET, cookies, environment and other server
variables). Instead of using $foo, you can use $_REQUEST["foo"]
(includes any variable that arrives through the
request, namely, POST, GET and cookie variables), or use one of the
specific
$_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"],
depending
on where the input originates. Also, you can look at the
import_request_variables() function.

Tim Williams: Note that register_globals is going to be depracated (i.e., turned off
by
default) in the next version of PHP, because it often leads to security
bugs.
For further information about this please go to
http://php.net/manual/en/security.registerglobals.php.

Craig Squire: OK I shall try and work around this. Would have been nice to be forewarned though!!

Tim Williams: I apologise for any inconvenience caused by thus but unfortunatley due to security reasons the patches needed to be applied immediately.

Craig

[CES]

For information, here are my email settings in admin:

Code:

E-Mail Transport Method 	sendmail 	 
E-Mail Linefeeds 	LF 	 
Use MIME HTML When Sending Emails 	true 	 
Verify E-Mail Addresses Through DNS 	false 	 
Send E-Mails 	true 	 
Email Archiving Active? 	true 	 
E-Mail Friendly-Errors 	true 	 
Email Address (Displayed to Contact you) 	sales@nichelocks.com 	 
Email Address (sent FROM) 	sales@nichelocks.com 	 
Email Admin Format? 	TEXT 	 
Send Copy of Order Confirmation Emails To 	sales@nichelocks.com 	 
Send Copy of Create Account Emails To - Status 	1 	 
Send Copy of Create Account Emails To 	sales@nichelocks.com 	 
Send Copy of Tell a Friend Emails To - Status 	1 	 
Send Copy of Tell a Friend Emails To 	sales@nichelocks.com 	 
Send Copy of Customer GV Send Emails To - Status 	1 	 
Send Copy of Customer GV Send Emails To 	sales@nichelocks.com 	 
Send Copy of Admin GV Mail Emails To - Status 	1 	 
Send Copy of Customer Admin GV Mail Emails To 	sales@nichelocks.com 	 
Send Copy of Admin Discount Coupon Mail Emails To - Status 	1 	 
Send Copy of Customer Admin Discount Coupon Mail Emails To 	sales@nichelocks.com 	 
Send Copy of Admin Orders Status Emails To - Status 	0 	 
Send Copy of Admin Orders Status Emails To 	sales@nichelocks.com 	 
Allow Guest To Ask A Product Question 	true 	 
Send Copy of Pending Reviews Emails To - Status 	1 	 
Ask A Question Email To: 	sales@nichelocks.com 	 
Send Copy of Pending Reviews Emails To 	sales@nichelocks.com 	 
Ask A Question Name To 	Craig Squire 	 
Set "Contact Us" Email Dropdown List 		 
Allow Guest To Tell A Friend 	true 	 
Contact Us - Show Store Name and Address 	1 	 
Send Extra Low Stock Emails 	1 	 
Send Extra Low Stock Emails To 	sales@nichelocks.com 	 
Display "Newsletter Unsubscribe" Link? 	true 	 
Audience-Select Count Display 	true 	 
SMTP Email Mail Host 		 
SMTP Email Account Password 		 
SMTP Email Account Mailbox 		 
SMTP Email Account Mailbox 	YourDomain.com 	 
SMTP Email Account Password 	YourDomain.com 	 
SMTP Email Mail Host 	YourDomain.com 	 
SMTP Email Mail Server Port 	25

[kelvyn]

EDIT: I see you were posting at the same time I was writing! Yes, try SMTP instead.

OK, you need to check whether overrides are done in htaccess, or via a custom php.ini (more usual). Everyone should bookmark B&T Tips and Scripts as it has some good info on php.ini

Note that you will need to turn globals ON and not OFF!! Most hosts will say you can't do this, but in fact, you usually can. So it would look like:
"register_globals = On";

Although, my globals were off (only had to turn them of on for easypopulate) and mail still worked. Did you try changing the mail sending protocol in admin yet?

[Vger]

Tim Williams: Note that register_globals is going to be depracated (i.e., turned off
by
default) in the next version of PHP, because it often leads to security
bugs.

Total bull****. The guy is reading from an idiot screen. Register Globals has been turned 'off' by default in php.ini for years now. If the php installation is secure then there is no need to turn off Register Globals.

If this is an Apache server and you can use .htaccess files on it then put this code in a .htaccess file in the root of your web.

Code:

php_flag register_globals on

This will turn back on Register Globals just for your website.

Vger

[CES]

Thanks for the reply Vger

If this is an Apache server and you can use .htaccess files on it then put this code in a .htaccess file in the root of your web.

Code:

php_flag register_globals on

This will turn back on Register Globals just for your website.

Vger

Have done this with no luck.

Have changed the E-Mail Transport Method but still no joy.

Craig

[kelvyn]

Did you also try that change in php.ini?

I think you might want to install another simple and seperate php app that sends email, just to test things. But I have this feeling you are, unfortunately, in the hands of your hosts tech support now!

[CES]

Did you also try that change in php.ini?

I have looked for it but cannot seem to find it in any of the directories when I log in via ftp.

Any ideas where?

Craig

[kelvyn]

Read the B&T site I posted above - you need to COPY the "server default" php.ini, then customise, BUT, as vger noted, sometimes this change is done in .htaccess.
Sometimes, php.ini works for all subdirs, sometimes you need to copy it into all dirs.
Then is also depends on version of php

You're gonna need to get back to your host to be sure!