On Wed, Jul 25, 2001 at 07:31:59AM -0700, Rasmus Lerdorf wrote:
> Because not everyone agrees that this is actually "highly recommended".
> Most third-party PHP code you may want to run will not work very well with
> register_globals off. And turning register_globals off isn't actually as
> helpful from a security perspective as many people seem to think.
>
> The basic thing it would help would be in cases like this:
>
> <?
> if($user=='rasmus') {
> $ok = true;
> }
>
> if($ok) {
> ... secure code ...
> }
> ?>
Don't forget the use of session variables.
On one page you:
session_start();
session_register("user");
$user = 'admin';
And then on another page you:
session_start();
if ($user == 'admin')
{
}
If a malicious user goes to the second page first
they could overwrite $user and break security.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]