Posted by Rik on 05/19/06 04:03

Toby Inkster wrote:
> Andy Jeffries wrote:
>
>> It's not a big risk if you don't code for it being on. The risk
>> comes in using variables like $page when you should be using
>> $_GET["page"]. The latter cannot be faked, $page could have been
>> set in any number of ways.
>
> I generally code specifically for it being *off*.

Yup, not only a good idea, it also makes the code more portable.

> With register_globals switched *on* a visitor can simply pass
> ?loggedin=1 and they get the secret stuff. So register_globals on can
> be a *serious* security risk.

Hmmz, important values like that are ALWAYS initiated in my scripts.

eg:

$logged_in = false;
if(//some validating){
$logged_in = true;
}

Grtz,
--
Rik Wasmus

• Next in forum: Re: Help with variable interpolation in WHER clause
• Prev in forum: Re: stripslashes problem (American Inch Marks = ")
• Thread view: Re: register_globals security risk

[Reply to this message]