Reply to Re: register_globals security risk — PHP Programming Language

Posted by Andy Jeffries on 05/18/06 23:05

On Thu, 18 May 2006 19:49:07 +0000, Ham Pastrami wrote:
> My hosting provider has register_globals on. How big of a security risk is
> this, and is there a workaround for it if I can't convince them to turn it
> off? At the moment I am running phpbb and mantis on my site.

It's not a big risk if you don't code for it being on. The risk comes in
using variables like $page when you should be using $_GET["page"]. The
latter cannot be faked, $page could have been set in any number of ways.

So, code sensibly and it doesn't matter whether register_globals is on or
off. Code so that it must be turned on and you're potentially up the
creek.

Cheers,

Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация