Actually it's not "dangerous" per se.
However if can be very dangerous if you aren't being careful in your code,
for instance, consider this.
Let's say I've conditionally set $sql somewhere else in the code based upon
certain conditions, which works fine. But let's say those conditions aren't
met so $sql doesn't get set to anything since it's not really used. Now
consider this code:
if ($sql)
{
$result = mysql_query($sql);
}
Now that would be fine for all normal instances. But now what if someone
appends this onto the end of your url:
?query=
...plus something like "DROP databasename". It doesn't take too much
imagination to see what kind of things could happen if someone just had a
little bit of knowledge about how your code works.
Thus you have two options. One is of course to turn register_globals off,
but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in
your script at some point before doing anything with it. So if you use $sql
be 100% sure that it has been set $sql explicitly in your code before doing
anything with it.
--
Plutarck
Should be working on something...
...but forgot what it was.
""Greig, Euan"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have read in several places that is dangerous to have register_globals
on, but I have not understood the (short) explanations given. Can anyone
enlighten me?
>
> Euan Greig
> Technical Consultant
> BRANN DATA
> [EMAIL PROTECTED]
> 01285 645997
>
>
>
>
>
> **************************************************************************
> Any opinions expressed in this email are those of the individual and
> not necessarily the Company. This email and any files transmitted with
> it, including replies and forwarded copies (which may contain alterations)
> subsequently transmitted from the Company, are confidential and solely for
> the use of the intended recipient. If you are not the intended recipient
> or the person responsible for delivering to the intended recipient, be
> advised that you have received this email in error and that any use is
> strictly prohibited.
>
> **************************************************************************
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
