one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the "id" variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php
xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: > Hello list, > > php4.1 recommends to set register_globals=off in php.ini to make php > more strict. My question is, if I turn off register_globals, what will > happen if any malicious user just try to modify the variable values in > the url? Say, > > http://www.domain.com/xxx.php?id=3&sex=female > > Does it work if user just change the value in the URL directly and send > the url directly to web server? > > How can we avoid the malicious attack by directly http GET/POST with > modified parameter values to make possible system error or compromise? > > > -- > Patrick Hsieh <[EMAIL PROTECTED]> > GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
