Hi...
The problem comes when you are mixing variables recieved from the HTTP
request, and your own user variables. Consider the following code:
function authenticate_user(){
if($password == 'secret'){
$authenticated = 'yes';
}
return $authenticated;
}
If someone passes the variable authenticated=yes in the url request string,
the user will be authenticated no matter whether their password matches or
not. This is obviously a simplified example, and I'd hope that no
programmer would ever do this, but things like have been known to happen,
and there have already been exploits for it.
The logic behind the change is that it is really not much extra work to type
$_GET['something'] than just $something, and it is infinitely more secure -
so you should write your scripts using the $_REQUEST variables whenever
possible.
Hope that helps...
Matt
"Then" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi All
>
> I am a PHP newbie. I don't understand why global variables are turned off
by
> default in PHP4.2.0... something to do with security. Could some one
please
> help me understand how it's a security issue. Thanks
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
