While I wholey support the concept of using appropriate globals ($_POST, $_GET, $_COOKIE, etc.) I'd like to make one point abundantly clear:
"While it doesn't guarantee that data has not been forged, it does require an attacker to guess the right kind of forging." -- http://us4.php.net/registerglobals Thus a brute force attack (forging all variables types: post, cookie, and get) could break a system (unless you were doing an amazing amount of checking). Basically, I wanted everyone who uses this feature to be aware it does not make them ammune to the type of attack it is used to prevent. To prevent a brute force as I describe (but not prevent forged cookies by any means) you could do: <?php if($_COOKIE['userID'] && !$_GET['userID'] && !$_POST['userID']) { echo "Valid userID cookie, but still could be forged.\n"; } ?> --Joe -- Joe Stump <[EMAIL PROTECTED]> http://www.joestump.net "Label makers are proof God wants Sys Admins to be happy." -----Original Message----- From: Wendell Brown [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 7:43 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] Variables don't pass... *sniff* On Wed, 28 May 2003 16:30:17 +0200, [EMAIL PROTECTED] wrote: >Howcome? I don't think I understand that... Check this out. http://us4.php.net/registerglobals -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
