On 11 Mar 2004 Chris Shiflett wrote: > The risk is no greater than what the original poster wants to do anyway: > > $foo = $_POST['foo']; > > Whether $foo is created by register_globals being enabled or by the > previous code, there is no difference in risk. The data should still be > considered tainted until it has been properly validated, and disabling > register_globals does not excuse you from performing this step.
I totally agree -- I certainly didn't mean to suggest otherwise. The original question was about how to get a specific set of "about 10" variables out of the _POST array so he wasn't always having to use array references. One of the responses suggested using register_globals and that's what I was responding to. It seems to me that for security one wants both things -- first, to move only what you need from _POST into the global symbol table, and second, validate it thoroughly. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
