Kirk, That was enlightening, thank you. I think that I had better set register_globals OFF ! However there is still one last nagging question in my mind: What is the purpose of the $_GET (or $HTTP_GET_VARS) predefined variable? It seems that in the case of "get" variables, malicious variables could still be set in the querystring and even using $_GET['variablename'] wouldn't be able to stop this from happening. That is, from what I understand, the advantage of using "get" variables in the first place.
So does using $_GET actually confer any additional security? If so, how? Thank you all, Erik On Tuesday, January 15, 2002, at 03:55 PM, Johnson, Kirk wrote: > Give this a read first, then come back if you still have questions ;) > > http://www.securereality.com.au/studyinscarlet.txt > > Kirk > >> -----Original Message----- >> From: Erik Price [mailto:[EMAIL PROTECTED]] >> Sent: Tuesday, January 15, 2002 1:50 PM >> To: PHP >> Subject: [PHP] security benefits of predefined variables >> >> >> Hi, >> >> I was hoping that someone could point me to a page or >> resource where I >> can find more information about using the predefined variables >> introduced in PHP 4.1.0. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]