Posted by AnrDaemon on 10/24/07 14:45

Greetings, +mrcakey.
In reply to Your message dated Wednesday, October 24, 2007, 14:57:09,

m> I understand that register_globals was turned off by default as, unless
m> you initialised it, it could be altered by a malicious coder.

m> What I don't understand is how the $_POST['foo'] form is any more
m> secure.

It is more secure, than $foo. For sure.

m> Surely Mr Malicious Coder can still just send his own version
m> of $_POST['foo']?

Yep, but You can't accidentally fetch it by using $foo somewhere in Your
script.
You should call $_POST['foo'] explicitly to deal with user input.

m> Obviously I'm missing something, I just can't figure out what!

Hope I've explained it enough to give You a point.


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>

• Next in forum: Re: php script sporadic downloadable
• Prev in forum: Re: XML Extension missing in windows installation....
• Thread view: Re: register_globals on / off - I think I'm missing the point

[Reply to this message]