|
Posted by Kurda Yon on 01/14/08 21:42
>
> Because with register_globals on,
>
> http://www.example.com?admin=1
>
> sets $admin to 1 (true).
>
It is confusing because if I think about register_globals, I think
that it should be something to do with the global variables. But it
seems to be not related with the global variables. In the above
example if $admin is NOT a global variable, we still will have the
described problem. So, it is no matter if $admin is global or not. The
matter is that the script can take variables from the address line.
And with the "register_global off" we force the script NOT to take the
values from the address line. But it seems to me only a partial
solution, because hacker will try to pass the value of the $admin
through the form variables (or it is impossible?). So we should to
tell the script not to accept the form variables?
[Back to original message]
|