On Thursday 05 June 2003 01:43, Rouvas Stathis wrote: > I strongly disagree with that. > Consider the following code (assuming $foo is 'external' variable): > > 1: if ($foo=='yes') transfer_money_to_me(); > > 2: if ($_GET['foo']=='yes']) transfer_money_to_me(); > > Why (2) is safer than (1)? Answer: It is *not*.
Consider this slightly more substantial example: // Case 1: register_globals = on if ($user == 'me' && $password == 'correct') { $admin = TRUE; } if ($admin) { list_all_members_sordid_details(); } and // Case 2: register_globals = off if ($_GET['user'] == 'me' && $_GET['password'] == 'correct') { $admin = TRUE; } if ($admin) { list_all_members_sordid_details(); } In case 1, a malicious person can bypass your password checks by passing admin=1 in the URL. > As Rasmus has correctly pointed out, the usage of "register_globals=off" > per se cannot be considered a security measure. If you don't initialize > and/or check *all* user-supported variables, you're dead. It's as simple > as that. Is it annoying? Maybe. Is it necessary? *yes* I tend to think of it as a safety net. Of course the problems with case 1 could be prevented by explicitly initialising the variables ... if ($user == 'me' && $password == 'correct') { $admin = TRUE; } else { $admin = FALSE; } ... and extra meticulous coding: if ($admin === TRUE) { list_all_members_sordid_details(); } Nobody's perfect, heck even MS cannot write safe code (!), so register_globals=0 gives you a little extra breathing space. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* You can't judge a book by the way it wears its hair. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php