Hi Phil!
On Mon, 30 Jul 2001, Phil Driscoll wrote:
> On Sunday 29 July 2001 19:13, [EMAIL PROTECTED] wrote:
> ...stuff pointing out how you'd get no warning messages when the evil guy
> sets the variables from outside.
>
> You missed my point, which is the good guy would get the warning messages
> when he tested the code himself without sending in the 'bad' variables.
> There's no point showing the warning messages to the bad guy!
>
Yes Phil, but does your codes rely on warnings messages alone?
I test every and each variable I'm about to use in the program that
contains data from the user.
My point was that doing that way, you save isset() tests and go ahead and
test them. To be more explicit, in the case of register_globals off you won't
have to fear that if you forgot to properly initialize a variable that can be
set in request by the user.
The only concerns are:
- if the user sends less variables than you expect
- if the content of those variable is illegal for their meaning.
In the 1st case most of the programmers (in globals on) test it with isset()
The second one is so seldomly seen that can be said it's a legend.
In web programming there are more complicated security issues that we can
imagine, and not addressing the small ones means we're a bit ignorant on the
consequences.
For instance look for : "The Dangers of Allowing Users to Post Images" and
"Cross-Site Request Forgeries" (derived from the first) threads on Bugtraq.
It was quite an interesting security issue I've never thought of, and now
gives me hard times :)
-- teodor
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
