OK, so I was really bored today and started reading through some PHP
security stuff starting with the php.ini-recommended and found the register
globals off stuff. So you don't have to find it yourself, here's a direct
lift from the file:

; This is the recommended, PHP 4-style version of the php.ini-dist file.  It
; sets some non standard settings, that make PHP more efficient, more
; and encourage cleaner coding.
; The price is that with these settings, PHP may be incompatible with some
; applications, and sometimes, more difficult to develop with.  Using this
; file is warmly recommended for production sites.  As all of the changes
; the standard settings are thoroughly documented, you can go over each one,
; and decide whether you want to use it or not.
; For general information about the php.ini file, please consult the
; file, included in your PHP distribution.
; This file is different from the php.ini-dist file in the fact that it
; different values for several directives, in order to improve performance,
; possibly breaking compatibility with the standard out-of-the-box behavior
; PHP 3.  Please make sure you read what's different, and modify your
; accordingly, if you decide to use this file instead.
; - register_globals = Off         [Security, Performance]
;     Global variables are no longer registered for input data (POST, GET,
;     environment and other server variables).  Instead of using $foo, you
must use
;     you can use $_REQUEST["foo"] (includes any variable that arrives
through the
;     request, namely, POST, GET and cookie variables), or use one of the
;     $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"],
;     on where the input originates.  Also, you can look at the
;     import_request_variables() function.
;     Note that register_globals is going to be depracated (i.e., turned off
;     default) in the next version of PHP, because it often leads to
security bugs.
;     Read http://php.net/manual/en/security.registerglobals.php for further
;     information.

I understand that this applies to data put into a form to be submitted to a
database (or another page, I guess), but does it also apply to
variable/value pairs passed along the URL from a hyperlink (<a
href="foo/bar.php?thisVar=thisVal>Click here.</a>)? I couldn't quite get it
from the explanation above. Would I need to reference the passed variable
with $_GET["thisVal"] on the receiving page (bar.php)? I'm sure I would have
to if $thisVar was passed from a form with the GET method, but wasn't sure
about the hyperlink stuff.

Anybody working with register globals off already that can clear this up?


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to