Posted by Toby Inkster on 05/19/06 00:56

Andy Jeffries wrote:

> It's not a big risk if you don't code for it being on. The risk comes in
> using variables like $page when you should be using $_GET["page"]. The
> latter cannot be faked, $page could have been set in any number of ways.

I generally code specifically for it being *off*. e.g.

<?php
if ($_GET['username']=='tom' && $_GET['password']=='secret1')
$loggedin = TRUE;
elsif ($_GET['username']=='dick' && $_GET['password']=='secret2')
$loggedin = TRUE;
elsif ($_GET['username']=='harry' && $_GET['password']=='secret3')
$loggedin = TRUE;

if ($loggedin)
do_super_secret_stuff();
?>

With register_globals switched *on* a visitor can simply pass ?loggedin=1
and they get the secret stuff. So register_globals on can be a *serious*
security risk.

Luckily you can switch it off easily using, for example, .htaccess:

php_value register_globals off

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]