|
|
Posted by Jerry Stuckle on 01/14/08 22:48
Kurda Yon wrote:
>> Because with register_globals on,
>>
>> http://www.example.com?admin=1
>>
>> sets $admin to 1 (true).
>>
> It is confusing because if I think about register_globals, I think
> that it should be something to do with the global variables. But it
> seems to be not related with the global variables. In the above
> example if $admin is NOT a global variable, we still will have the
> described problem. So, it is no matter if $admin is global or not. The
> matter is that the script can take variables from the address line.
> And with the "register_global off" we force the script NOT to take the
> values from the address line. But it seems to me only a partial
> solution, because hacker will try to pass the value of the $admin
> through the form variables (or it is impossible?). So we should to
> tell the script not to accept the form variables?
>
Even if they pass it through a form it won't make any difference. With
register_globals off, the value will only be available in
$_POST['admin'] or $_GET['admin'], depending on whether the method is
POST or GET. $admin is not changed.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|