At 04:51 27/07/2001, Marc Boeren wrote:
> > Changing to register globals=off surely does very little in
> > terms of security for the easily fakeable GPC variables.
>
>Maybe not for these variables, but other variables used in your script
>cannot be faked by passing them as HTTP_POST_VARS.
>
>e.g., with register_globals=off
>
>if ($HTTP_POST_VARS['user_string'] == 'check_for_security') {
> // do something, but be aware of security issues
> }
>
>if ($internal_variable == 'whatever') {
> // do something, knowing that a user could never have set this
> }
>
>The second check is where a lot of scripts are exploitable, I think, if
>register_globals=on, because programmers do not expect user-input in this
>variable.
*exactly*.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
