> Changing to register globals=off surely does very little in
> terms of security for the easily fakeable GPC variables.
Maybe not for these variables, but other variables used in your script
cannot be faked by passing them as HTTP_POST_VARS.
e.g., with register_globals=off
if ($HTTP_POST_VARS['user_string'] == 'check_for_security') {
// do something, but be aware of security issues
}
if ($internal_variable == 'whatever') {
// do something, knowing that a user could never have set this
}
The second check is where a lot of scripts are exploitable, I think, if
register_globals=on, because programmers do not expect user-input in this
variable.
Cheerio, Marc.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
- Re: [PHP-DEV] Security Issues Ron Chmara
- Re: [PHP-DEV] Security Issues Zeev Suraski
- Re: [PHP-DEV] Security Issues teo
- Re: [PHP-DEV] Security Issues Zeev Suraski
- Re: [PHP-DEV] Security Issues teo
- Re: [PHP-DEV] Security Issues PHP
- Re: [PHP-DEV] Security Issues Zeev Suraski
- RE: [PHP-DEV] Security Issues Marc Boeren
- RE: [PHP-DEV] Security Issues Brian Tanner
- RE: [PHP-DEV] Security Issues Marc Boeren
- Re: [PHP-DEV] Security Issues Marc Boeren
- Re: [PHP-DEV] Security Issues Phil Driscoll
- RE: [PHP-DEV] Security Issues Zeev Suraski
- Re: [PHP-DEV] Security Issues php4
- Re: [PHP-DEV] Security Issues Zeev Suraski
- Re: [PHP-DEV] Security Issues Phil Driscoll
- Re: [PHP-DEV] Security Issues Zeev Suraski
- Re: [PHP-DEV] Security Issues Andi Gutmans
- Re: [PHP-DEV] Security Issues Ramsi Sras
- Re: [PHP-DEV] Security Issues Ron Chmara
- Re: [PHP-DEV] Security Issues Zeev Suraski
