|
|
Posted by Jerry Stuckle on 02/07/07 16:20
Vincent Delporte wrote:
> On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
> <perttu.POISTATAMA.pulkkinen@POISTATAMA.elisanet.fi> wrote:
>> If you put register_globals = off, and use $_request, $_get, $_post and
>> $_cookie, you'll surely know where your variables come from.
>
> Why is it dangerous to use globals, and not know where the data came
> from?
Well, as a simple example, let's say you put a value in your $_SESSION like:
$_SESSION('admin') = 1;
This indicates the person has signed on and is authorized to access your
admin screens. Now what happens if I do:
http://www.example.com/admin?admin=1
With register_globals on, I could access your admin screens even though
I'm not signed on, because both could set the variable $admin to 1.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|