|
|
Posted by Jerry Stuckle on 12/06/06 03:46
Sanders Kaufman wrote:
> Jerry Stuckle wrote:
>
>> Sanders Kaufman wrote:
>
>
>>> What is the security risk attached to having register_globals turned on?
>>
>>
>> Well,among other things, a smart user could do something like:
>>
>> http://www.example.com?authorized=1&level=admin
>>
>> This could set the person as authorized, with admin level. Of course,
>> a simple example - but you get the idea. Even the PHP designers have
>> recommended against its use, and it will probably be removed in a
>> future release.
>
>
> It looks like you're saying that query string variables are
> automatically made into $_SESSION variables - is that right?
>
I'm saying that any variable ($_GET, $_POST or $_SESSION) with that
index can replace the variable, i.e. $MyVar could originate in
$_SESSION["MyVar"], but could also come from $_POST["MyVar"] or
$_GET["MyVar"]. And if you have multiple, the settings in your php.ini
file determines which takes precedence.
This can be very dangerous.
> If not - then the whole security issue is resolved by using $_GET and
> $_POST correctly, right?
>
Yes, you can use $_GET and $_POST (and $_SESSION). And if you leave
register_globals off, then you *must* use them. Less chance for error.
>
>>>> $MyVar = isset($_SESSION['MyVar']) ? $_SESSION['MyVar'] : 0;
>
>
>
>> I do have a tendency to get rather pissed off at people who think they
>> know it all when they really have no clue. But after almost 40 years
>> of programming I get a little jaded :-)
>
>
> They say the toothless get ruthless. :)
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|