|
|
Posted by Jerry Stuckle on 02/07/07 18:07
Rik wrote:
> Jerry Stuckle <jstucklex@attglobal.net> wrote:
>
>> Vincent Delporte wrote:
>>> On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
>>> <perttu.POISTATAMA.pulkkinen@POISTATAMA.elisanet.fi> wrote:
>>>> If you put register_globals = off, and use $_request, $_get, $_post
>>>> and $_cookie, you'll surely know where your variables come from.
>>> Why is it dangerous to use globals, and not know where the data came
>>> from?
>>
>> Well, as a simple example, let's say you put a value in your $_SESSION
>> like:
>>
>> $_SESSION('admin') = 1;
>>
>> This indicates the person has signed on and is authorized to access
>> your admin screens. Now what happens if I do:
>>
>> http://www.example.com/admin?admin=1
>>
>> With register_globals on, I could access your admin screens even
>> though I'm not signed on, because both could set the variable $admin
>> to 1.
>
>
> Indeed, allthough this is offcourse bad coding. Every variable should be
> initialised, and every $_SESSION / $_POST / $_GET / $_COOKIE should be
> accessed like such. So, when coding correctly, having register_globals
> on is not a problem. However, when making a tiny mistake or when relying
> in register_globals, that's where it goes wrong. In short, unless you're
> infallable having register_globals off is just better.
> --Rik Wasmus
Hi, Rik,
I didn't say it was *good* coding. But he did ask what the potential
problem was. :-)
And I've seen similar code way too many times, especially on sites built
for earlier versions of PHP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|