Posted by Jerry Stuckle on 12/06/06 02:56

Sanders Kaufman wrote:
> Jerry Stuckle wrote:
>
>> Sanders Kaufman wrote:
>
>
>> It is if you have register_globals on - but that's a very bad thing to
>> have - a potential security risk.
>
>
> Aha! I seem to remember that being part of why I made up my own session
> logic. And it begs my next question:
>
> What is the security risk attached to having register_globals turned on?
>

Well,among other things, a smart user could do something like:

http://www.example.com?authorized=1&level=admin

This could set the person as authorized, with admin level. Of course, a
simple example - but you get the idea. Even the PHP designers have
recommended against its use, and it will probably be removed in a future
release.

>
>> $MyVar = isset($_SESSION['MyVar']) ? $_SESSION['MyVar'] : 0;
>
>
>
> BONUS! Is that a way of saying "if myvar isn't set, set it to zero"?
> I hope so because I've got a bunch of pages with the most convoluted
> code just to handle that "unset vs. set to zero" issue.
>

Yep. I use something similar all the time.

>> If $_SESSION['MyVar'] is set, the value in it will be placed in
>> $MyVar. But if $_SESSION['MyVar'] is not set, the code will set
>> $MyVar to 0 (adjust the default value as you wish - even null is ok).
>
>
> Cool. Thanks.
> You just despaghetti'd a mess o' code.
>
> ps. I tantrumed you as a troll about a month ago when an answer you
> gave was a little too *personal*. I'm glad I rebuilt my system and lost
> my filter.
>
>

:-)

I do have a tendency to get rather pissed off at people who think they
know it all when they really have no clue. But after almost 40 years of
programming I get a little jaded :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]