Posted by Andy Jeffries on 05/18/06 23:05

On Thu, 18 May 2006 19:49:07 +0000, Ham Pastrami wrote:
> My hosting provider has register_globals on. How big of a security risk is
> this, and is there a workaround for it if I can't convince them to turn it
> off? At the moment I am running phpbb and mantis on my site.

It's not a big risk if you don't code for it being on. The risk comes in
using variables like $page when you should be using $_GET["page"]. The
latter cannot be faked, $page could have been set in any number of ways.

So, code sensibly and it doesn't matter whether register_globals is on or
off. Code so that it must be turned on and you're potentially up the
creek.

Cheers,


Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

• Next in forum: Re: Postgres Insert return codes
• Prev in forum: Re: Three different ways to create a new Smarty object?
• Thread view: Re: register_globals security risk

[Reply to this message]