At 04:51 27/07/2001, Marc Boeren wrote:

> > Changing to register globals=off surely does very little in
> > terms of security for the easily fakeable GPC variables.
>Maybe not for these variables, but other variables used in your script
>cannot be faked by passing them as HTTP_POST_VARS.
>e.g., with register_globals=off
>if ($HTTP_POST_VARS['user_string'] == 'check_for_security') {
>     // do something, but be aware of security issues
>     }
>if ($internal_variable == 'whatever') {
>     // do something, knowing that a user could never have set this
>     }
>The second check is where a lot of scripts are exploitable, I think, if
>register_globals=on, because programmers do not expect user-input in this


PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to