On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: > Yes. But when a user type the url something like login.php?id=fakeid > Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right? > How do I avoid users affecting the system by changing the variable > values in the URL directly? If not, is there any way to protect myself > from malicious url injection attack?
You don't avoid that. You can't avoid it. register_globals didn't avoid it either and if you rely on such behvaiour then your application is clearly very broken. You should always check the data supplied to your CGI *very* carefully for just this reason. See for instance (randomly picked from google): http://www-genome.wi.mit.edu/WWW/faqs/wwwsf4.html -- Simon [ [EMAIL PROTECTED] ] *\ "JarJar Binks^W^WSupport for \** ****** ]-+-+-+-+-+-+-+-+-[ **\ CRLF<->LF translation in the kernel \* ****** [ Htag.pl 0.0.19 ] ***\ must die." - Alexander Viro \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
