|
Posted by Hilarion on 10/25/05 15:51
> * register_globals = On is dangerous because it can mask or be masked
> by other variable
I'm not sure if I understand you. If you are about variables scope,
then it has not much to do with register_globals. Regardless of it
being on or off all variables have same scope. register_globals only
makes some variables automatically set to values from environment
($_ENV, $_SERVER) and from request ($_REQUEST or rather directly
$_GET, $_POST and $_COOKIE).
> * register_globals = On is dangerous because users can add variables
> to the query string and override stuff you thought was safe
Yes. Having that in mind it's also possible to write scripts that are
safe even when register_globals is on, but if it's off then still
writing unsecure scripts is possible (for example register_globals
does not affect most SQL injection attacks).
> With register_globals = On, PHP creates an $var for every
> $_SESSION['var'].
As far as I know it does not. It does it (by reference) when calling
session_register.
> These are not available within function unless you
> use "global $var", so "$var m= 27;" within a function will create a
> local $var which will mask your session $var
Yes, because it's a global variable and all scope rules apply.
> Setting $HTTP_SESSION_VARS ["country"] = $country; means that anything
> you do to $country will be done to $HTTP_SESSION_VARS ["country"] since
> they are now one and the same (I think)
Nope. This only assigns value of $country variable to the session
values array. It does not bind the variable as a session variable.
session_register does the bind. Additionaly $HTTP_SESSION_VARS is
only a global variable (scope rules apply), not a superglobal
as $_SESSION (available in all scopes).
> BUT...$country still has the same scope that any other $var has, so if
> you do $HTTP_SESSION_VARS ["country"] = $country; within a function,
> $country disappears when the function ends ($HTTP_SESSION_VARS
> ["country"] remains, though)
As above. This assignment does nothing to global variables including
session values because $HTTP_SESSION_VARS and $country variables
are local to the function.
> Simple answer: Stick with $_SESSION['country'] - it's simpler, obvious,
> and a lot safer
I agree.
Hilarion
[Back to original message]
|