> Having recently switched from php 4.0.0 to 4.2.3 I quickly realized the > change in variable handling. I still experience problems using the $_POST > and $_GET globals so I currently have my register globals ON so I can have > the ability to pass variables from page to page without using the $_POST > and $_GET methods although I would really like to use them. > > My current project has me creating a login interface for users to access a > form and file upload tools. I am using only 1 set of scripts for > everyone. Each user is assigned a path to their file area and these > records are kept in a MySQL database along with username, password and > contact info. As Each page is loaded the ID variable is checked and table > data is then loaded for them for use on that page. If the ID variable is > null they are given an error and redirected to the login page. This is to > keep them from bookmarking the index page for the tools. > > My question is this: > > If I were to turn off register_globals and use the $_POST and $_GET > methods, what are the chances of a user getting someone else's variable > information using only one set of scripts for all. There could be up to > 700 people using the script at any given time. Cookies are not an options > as many users may have them turned off and sessions have never worked for > me or at least I have never figured them out to work the way I think they > should.
Using _POST or _GET doesn't make your scripts any more secure. It is still all dependant on how you write them. If you assume that the ID coming from _POST or _GET is the user that just logged in, then anyone can just change the ID and get other peoples information. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
