|
|
Posted by Sanders Kaufman on 12/06/06 03:13
Jerry Stuckle wrote:
> Sanders Kaufman wrote:
>> What is the security risk attached to having register_globals turned on?
>
> Well,among other things, a smart user could do something like:
>
> http://www.example.com?authorized=1&level=admin
>
> This could set the person as authorized, with admin level. Of course, a
> simple example - but you get the idea. Even the PHP designers have
> recommended against its use, and it will probably be removed in a future
> release.
It looks like you're saying that query string variables are
automatically made into $_SESSION variables - is that right?
If not - then the whole security issue is resolved by using $_GET and
$_POST correctly, right?
>>> $MyVar = isset($_SESSION['MyVar']) ? $_SESSION['MyVar'] : 0;
> I do have a tendency to get rather pissed off at people who think they
> know it all when they really have no clue. But after almost 40 years of
> programming I get a little jaded :-)
They say the toothless get ruthless. :)
[Back to original message]
|