Nope. You can have variables pre-set when the script starts from
both perl and PHP. I have to use it since I have forms that send
a variable number of variables to the controlling script. It's a lot
easier to just pull the variables out of thin air than set up all
the code to figure out how many variables have been passed, create them
and populate them.
Yea yea, bad coding. Guess I should look at it. Given I initialize
any other variables before using them, and I'm not sure if you can have
script variables overwrite the PHP defaults, I'm not sure how much of a
problem it is.
-Mark
On Thu, 2002-03-07 at 10:54, [EMAIL PROTECTED] wrote:
>
> In a message dated: Thu, 07 Mar 2002 10:33:41 EST
> Benjamin Scott said:
>
> >> Also, things like path, shell, and other environmental variables are all
> >> set using the global "%ENV" hash, which *should* be cleared out and set to
> >> known, safe, and accepted defaults.
> >
> > Which won't matter much if anyone on the web can reset them for you. :-)
>
> I don't believe these can be set from a web form. Usually, when
> doing CGI with perl, one uses CGI.pm or something similar, and sets
> up the variables allowed to be modified like:
>
> my ($foo) = $q->param("foo");
>
> And that's the only way $foo gets created, you have to at least
> explicitly assign to it. I'm not sure how some variable can
> automagically come into existence through form and have malicious
> content assigned to it. The programmer must state which fields get
> assigned to which variables.
>
> It is possible to enter things into a form like:
>
> Name: "$ENV{'PATH'}='/etc'"
>
> or something like that, but unless you then did an eval on that form
> variable, nothing's ever going to happen with it. And if you're
> eval'ing external code like that, you *really* better know what
> you're doing. (I've never, ever used 'eval'. Mostly because I don't
> understand how to and I'm petrified of the ramifications if I tried :)
>
> > I agree with everything you said in this message, except for the "I don't
> >think that's true part", since I was saying the same thing you are. :-)
>
> Well all right then! As long as that's the case, have it your way ;)
> --
>
> Seeya,
> Paul
>
>
>
> *****************************************************************
> To unsubscribe from this list, send mail to [EMAIL PROTECTED]
> with the text 'unsubscribe gnhlug' in the message body.
> *****************************************************************
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
