|
|
Posted by Rik on 02/07/07 16:30
Jerry Stuckle <jstucklex@attglobal.net> wrote:
> Vincent Delporte wrote:
>> On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
>> <perttu.POISTATAMA.pulkkinen@POISTATAMA.elisanet.fi> wrote:
>>> If you put register_globals =3D off, and use $_request, $_get, $_po=
st =
>>> and $_cookie, you'll surely know where your variables come from.
>> Why is it dangerous to use globals, and not know where the data came=
>> from?
>
> Well, as a simple example, let's say you put a value in your $_SESSION=
=
> like:
>
> $_SESSION('admin') =3D 1;
>
> This indicates the person has signed on and is authorized to access yo=
ur =
> admin screens. Now what happens if I do:
>
> http://www.example.com/admin?admin=3D1
>
> With register_globals on, I could access your admin screens even thoug=
h =
> I'm not signed on, because both could set the variable $admin to 1.
Indeed, allthough this is offcourse bad coding. Every variable should be=
=
initialised, and every $_SESSION / $_POST / $_GET / $_COOKIE should be =
accessed like such. So, when coding correctly, having register_globals o=
n =
is not a problem. However, when making a tiny mistake or when relying in=
=
register_globals, that's where it goes wrong. In short, unless you're =
infallable having register_globals off is just better.
-- =
Rik Wasmus
Navigation:
[Reply to this message]
|