You are absolutely correct. However, the only value that security "feature" has is in the case that the program really cares which method the variable was received. I never have, and I doubt I ever will. I have had cases where I thought I'd be concerned with this but a rethink of the logic proved there was a better way. Even if I am concerned with such an issue I can always check the post array to make sure it is there.
The decision to default to 'off' was a good one, but it only protects certain types of programmers from accidentally creating holes. I am a bit more deliberate, and see no security value in it for myself. Therefore my installations remain register_globals="on"... If you'd like to pass your username and password on a query string be my guest, it'll work just fine. I don't recommend it though. <>< Ryan -----Original Message----- From: Mark [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 10:51 AM To: Ryan Jameson (USA); [EMAIL PROTECTED] Subject: RE: [PHP-DB] passing variables --- "Ryan Jameson (USA)" <[EMAIL PROTECTED]> wrote: > I missed the part where he was using an image. Without a value > property, I don't see how it could pass anything at all.... > > A note on my recent post, to emulate register_globals do this: > > if (!empty($_SERVER)) > extract($_SERVER); > > if (!empty($_GET)) { > extract($_GET); > } else if (!empty($HTTP_GET_VARS)) { > extract($HTTP_GET_VARS); > } > > if (!empty($_POST)) { > extract($_POST); > } else if (!empty($HTTP_POST_VARS)) { > extract($HTTP_POST_VARS); > } > > > This registers all of the different arrays. And completely nullifies the security value of having register_globals turned off. But I guess if you don't have access to the php.ini file this is as good... > <>< Ryan > ===== Mark Weinstock [EMAIL PROTECTED] *************************************** You can't demand something as a "right" unless you are willing to fight to death to defend everyone else's right to the same thing. -Stolen from the now-defunct Randy's Random mailing list. *************************************** __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
