> If you are careful, you can defend against Scenario 1 with register_globals
> on, but you need to understand all the stuff that PHP is doing with the
> data, and that is a fairly complicated picture. Your application can still
> work even if you don't understand that picture, and that is how unsecure
> applications come about. With register_globals off, the data movement
> picture is much simpler, and this is more of a "fail-safe" mode: if you
> don't understand how the data moves around in PHP, your application simply
> breaks ;)

In your scenario setting your error_reporting level to E_ALL will throw a
warning when you use an uninitialized $admin variable.  That will prompt
you to initialize $admin correctly and thus be fine with register_globals
turned on.

I don't think it is quite as hard as everyone says to write
register_globals-safe code.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to