On Wed, Jul 25, 2001 at 07:31:59AM -0700, Rasmus Lerdorf wrote:
> Because not everyone agrees that this is actually "highly recommended".
> Most third-party PHP code you may want to run will not work very well with
> register_globals off.  And turning register_globals off isn't actually as
> helpful from a security perspective as many people seem to think.
> The basic thing it would help would be in cases like this:
>    <?
>          if($user=='rasmus') {
>                $ok = true;
>          }
>          if($ok) {
>                ... secure code ...
>          }
>    ?>

Don't forget the use of session variables.
On one page you:

        $user = 'admin';

And then on another page you:

        if ($user == 'admin')

If a malicious user goes to the second page first
they could overwrite $user and break security.

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to