Hi At the cost of sounding dense...wouldn't POSTing the variables solve the problem. Then the user would not see them in the URL.
[EMAIL PROTECTED] (Matt Parlane) wrote in [EMAIL PROTECTED]:">news:[EMAIL PROTECTED]: > Hi... > > The problem comes when you are mixing variables recieved from the HTTP > request, and your own user variables. Consider the following code: > > function authenticate_user(){ > if($password == 'secret'){ > $authenticated = 'yes'; > } > return $authenticated; > } > > If someone passes the variable authenticated=yes in the url request > string, the user will be authenticated no matter whether their password > matches or not. This is obviously a simplified example, and I'd hope > that no programmer would ever do this, but things like have been known > to happen, and there have already been exploits for it. > > The logic behind the change is that it is really not much extra work to > type $_GET['something'] than just $something, and it is infinitely more > secure - so you should write your scripts using the $_REQUEST variables > whenever possible. > > Hope that helps... > > Matt > > "Then" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> Hi All >> >> I am a PHP newbie. I don't understand why global variables are turned >> off > by >> default in PHP4.2.0... something to do with security. Could some one > please >> help me understand how it's a security issue. Thanks > > > -- Lots of Luck theN [EMAIL PROTECTED] -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
