Hello "Christian G. Warden" <[EMAIL PROTECTED]>, Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack?
On Thu, 9 May 2002 09:51:02 -0700 "Christian G. Warden" <[EMAIL PROTECTED]> wrote: > one of the php lists is probably a better forum for this question, but > in short, register_globals=off means that if you want to use the "id" > variable passed in the query string by the browser, you would access it as > $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info > at http://www.php.net/manual/en/language.variables.predefined.php > > xn > > On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: > > Hello list, > > > > php4.1 recommends to set register_globals=off in php.ini to make php > > more strict. My question is, if I turn off register_globals, what will > > happen if any malicious user just try to modify the variable values in > > the url? Say, > > > > http://www.domain.com/xxx.php?id=3&sex=female > > > > Does it work if user just change the value in the URL directly and send > > the url directly to web server? > > > > How can we avoid the malicious attack by directly http GET/POST with > > modified parameter values to make possible system error or compromise? > > > > > > -- > > Patrick Hsieh <[EMAIL PROTECTED]> > > GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh <[EMAIL PROTECTED]> GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
