Posted by +mrcakey on 10/31/07 16:36

AnrDaemon wrote:
> Greetings, +mrcakey.
> In reply to Your message dated Wednesday, October 24, 2007, 14:57:09,
>
> m> I understand that register_globals was turned off by default as, unless
> m> you initialised it, it could be altered by a malicious coder.
>
> m> What I don't understand is how the $_POST['foo'] form is any more
> m> secure.
>
> It is more secure, than $foo. For sure.
>
> m> Surely Mr Malicious Coder can still just send his own version
> m> of $_POST['foo']?
>
> Yep, but You can't accidentally fetch it by using $foo somewhere in Your
> script.
> You should call $_POST['foo'] explicitly to deal with user input.
>
> m> Obviously I'm missing something, I just can't figure out what!
>
> Hope I've explained it enough to give You a point.
>
>

Essentially then register_globals exposes ALL your variables to attack
from outside rather than just those you're fetching explicitly from
$_GET, $_POST etc. I understand now. Thanks to all who replied.

+mrcakey

[Back to original message]