Only is register_globals is on can that reset a variable.  You are
correct though, defining directory paths is safer.

Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com



Joseph Crawford wrote:
> read up on register_globals.  It is a security risk because if i do
> http://domain.com/file.php?plugins_directory=/directory/
>
> it can reset your variable.
>
> the best way to do that is to make PLUGINS_DIR a constant
>
> define('PLUGINS_DIR', '/directory/');
>
> Joseph Crawford
>
> On Sep 23, 2008, at 12:58 PM, michael wrote:
>
>> I get an error stating that this line in my code is a security risk
>> when I code it.
>>
>> require_once($PLUGINS_DIRECTORY."forum/forum.php");
>>
>> here is what the explanation is:
>>
>> include() or analogous is used with variable argument this can be
>> dangerous since variables are in many cases controlled by remote users.
>>
>> the recommended  soloution is to write it this way
>>
>> define('SCRIPT_PATH',"/htdocs");
>> include ('sSCRIPT_PATH."/Foo.inc");
>>
>> my question is why is the other way safer? im kinda confused..
>>
>>
>>
>> -- 
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to