----- Original Message -----
From: "Patrick Hsieh" <[EMAIL PROTECTED]>
> Hello list,
> php4.1 recommends to set register_globals=off in php.ini to make php
> more strict.  My question is, if I turn off register_globals, what will
> happen if any malicious user just try to modify the variable values in
> the url? Say,

The variables will get passed just like normal. You have no way of telling
if the values actually came from a form or if the user manipulated the data.
This goes for GET, POST, and COOKIE data.

> How can we avoid the malicious attack by directly http GET/POST with
> modified parameter values to make possible system error or compromise?

You can't stop it. The user can send anything to your site. It's up to you
to validate the data and make sure it's what it's supposed to be.

At least with register_globals = off, when you use $_GET["var"], you know
it's coming from the URL (or a GET form). Same thing with _POST, _SESSION,
and _COOKIE, etc. You know where the data should be coming from. You still
have to validate it. W/o register globals, you just use $var and have no
idea where it's coming from. You may think it's coming from a posted form,
but the user actually passed it in the url. Or, you use $var2, not expecting
it to come from the user at all, but the user passes it in the URL and it
overwrites $var2.

register_globals isn't always "bad". It just allows for more errors and
holes with it on if you're not careful.

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to