Posted by Jerry Stuckle on 06/13/59 12:00

Kurda Yon wrote:
>> ..
>> if( isset($admin) ) {
>> ..}
>>
>> ..
>>
>> Now:http://mysite.net/myscript.php?admin=1
>> Here we go.
>
> But even if the register_global is off the following can happen:
> if( isset($_GET['admin']) ) {
> ..}
> Now:http://mysite.net/myscript.php?admin=1
>
> Or the ideas is that developer (programmer) will remember that $_GET
> is something what is coming from the outside and will never relate the
> access with the elements of $_GET?
>

That is true. But $_GET['admin'] is set - not $admin. And the only way
the $_GET array gets populated is by the query string in the uri (unless
you set it yourself - which is a bad idea).

And you know that $_GET['admin'] is coming from the query string. With
register_globals on, $admin could have been set by the session, a
cookie, or get or post parameters. And you have no idea where it came from.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]