At 22:17 27.11.2002, Van Andel, Robert said:
>On the other hand, I use only one query, searching for the username.  I had 
>experimented with other methods but did not find anything that I felt gave 
>me great security.  Using a session variable that says the person is logged 
>in can be placed into a query string therefore bypassing the authentication 

That's the main issue why register_globals is off by default since 4.2. If
you don't use register_globals, your $_SESSION array is safe from
intruders; only your script can set it from within your session. If any
malicious guy passes a query variable ?$_SESSION['authorized']=true, this
will only show up in the $_GET array, nowhere else. A print_r() of $_GET
with this query string gives:

$_GET = Array (
    [$_SESSION] = Array (
        ['authorized'] = 1

You might want to check out

to read about the security issues involved. Basically having
register_globals set to on allows an arbitrary user to implant variables of
their choice into PHP, making any script more than unsafe. Having it
switched off allows YOU to control the data that you work with - an
absolute MUST unless you're begging for trouble, IMHO.

   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to