|
|
Posted by jmark on 05/22/07 13:51
On May 22, 5:20 am, "Thomas Mlynarczyk" <tho...@mlynarczyk-
webdesign.de> wrote:
> Also sprach j...@fastermail.com:
>
> >>> import_request_variables('gp', 'p_');
> >> Why? It's simpler, cleaner and safer to work with $_GET / $_POST
> >> directly.
> > I may agree with simplicity and cleanliness to some extend but how is
> > it safer?
>
> There are general security issues with global variables. With
> register_globals on, anyone could create a global variable with any content
> in your script. Thus, you would have to be *very* careful and make
> absolutely sure all your global variables are properly initialized by your
> script. This can be done, of course, but it *is* a potential source for
> security leaks. In addition, there is a security hole in some versions of
> PHP (both 4 and 5) where it is possible for a hacker to overwrite your whole
> $GLOBALS array. Another point: If you import the request variables, you
> cannot be sure whether they come from $_GET or $_POST or if they are set at
> all.
>
> Of course, if register_globals is off, you are much safer. But what if
> someday your script runs in an environment with register_globals on?
> Besides, using global variables the way you intend to indicates bad coding
> practises. If someday your script should become part of another project
> using global variables, name collisions may occur leading to errors which
> might be hard to debug.
>
> Greetings,
> Thomas
Ok the question that I was asking earlier on is why would want to
import variables rather than using the $_POST variable which is
global. So I thought you were referring to its safety over $_POST and
not using ordinary global variables which are set when
register_globals is on. As for using $_POST there is no added security
in using imported variables and some extend you can say $_POST is
slightly more secure just comparing as you are aware where your
variables are coming from.
Navigation:
[Reply to this message]
|