You are absolutely correct. However, the only value that security "feature" has is in 
the case that the program really cares which method the variable was received. I never 
have, and I doubt I ever will. I have had cases where I thought I'd be concerned with 
this but a rethink of the logic proved there was a better way. Even if I am concerned 
with such an issue I can always check the post array to make sure it is there.

The decision to default to 'off' was a good one, but it only protects certain types of 
programmers from accidentally creating holes. I am a bit more deliberate, and see no 
security value in it for myself. Therefore my installations remain 
register_globals="on"...

If you'd like to pass your username and password on a query string be my guest, it'll 
work just fine. I don't recommend it though.

<>< Ryan

-----Original Message-----
From: Mark [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 09, 2002 10:51 AM
To: Ryan Jameson (USA); [EMAIL PROTECTED]
Subject: RE: [PHP-DB] passing variables



--- "Ryan Jameson (USA)" <[EMAIL PROTECTED]> wrote:
> I missed the part where he was using an image. Without a value
> property, I don't see how it could pass anything at all....
> 
> A note on my recent post, to emulate register_globals do this:
> 
> if (!empty($_SERVER))
>   extract($_SERVER);
>   
> if (!empty($_GET)) {
> extract($_GET);
> } else if (!empty($HTTP_GET_VARS)) {
> extract($HTTP_GET_VARS);
> }
> 
> if (!empty($_POST)) {
> extract($_POST);
> } else if (!empty($HTTP_POST_VARS)) {
> extract($HTTP_POST_VARS);
> }
> 
> 
> This registers all of the different arrays.

And completely nullifies the security value of having
register_globals turned off. But I guess if you don't have access to
the php.ini file this is as good...

> <>< Ryan
> 


=====
Mark Weinstock
[EMAIL PROTECTED]
***************************************
You can't demand something as a "right" unless you are willing to fight to death to 
defend everyone else's right to the same thing.
-Stolen from the now-defunct Randy's Random mailing list.
***************************************

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to