I will look into it.  I still consider my self a newbie in the process having picked 
up a book back in February and learning to do it.  I haven't gotten into using things 
like $_SESSION[] and similar with posting forms.  Thanks.

Robbert van Andel 
Network Operator 
NW Regional Operations Center 
Charter Communications 
ROC Phone: 866-311-6646 
Desk Phone: 360-828-6727 
email: DL NW ROC 

-----Original Message-----
From: Ernest E Vogelsinger [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 1:28 PM
To: Van Andel, Robert
Cc: Evan Nemerson; [EMAIL PROTECTED]
Subject: RE: [PHP] ignoring client supplied session data

At 22:17 27.11.2002, Van Andel, Robert said:
>On the other hand, I use only one query, searching for the username.  I had 
>experimented with other methods but did not find anything that I felt gave 
>me great security.  Using a session variable that says the person is logged 
>in can be placed into a query string therefore bypassing the authentication 

That's the main issue why register_globals is off by default since 4.2. If
you don't use register_globals, your $_SESSION array is safe from
intruders; only your script can set it from within your session. If any
malicious guy passes a query variable ?$_SESSION['authorized']=true, this
will only show up in the $_GET array, nowhere else. A print_r() of $_GET
with this query string gives:

$_GET = Array (
    [$_SESSION] = Array (
        ['authorized'] = 1

You might want to check out


to read about the security issues involved. Basically having
register_globals set to on allows an arbitrary user to implant variables of
their choice into PHP, making any script more than unsafe. Having it
switched off allows YOU to control the data that you work with - an
absolute MUST unless you're begging for trouble, IMHO.

   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035
    ^     http://www.vogelsinger.at/

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to