Posting the variables might solve the problem in this case, but remember that this is just an example, and I'm sure any creative mind could come up with a whole heap of ways you could exploit something like this.
On the other hand though, you don't have to use it. If you are confident you can write an application without using the new superglobal arrays (and it is conceivably possible), you can just turn register_globals on. It's just a choice which was made by the PHP developers (rightly so I believe). Matt "Then" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi > > At the cost of sounding dense...wouldn't POSTing the variables solve the > problem. Then the user would not see them in the URL. > > > [EMAIL PROTECTED] (Matt Parlane) wrote in > [EMAIL PROTECTED]:">news:[EMAIL PROTECTED]: > > > Hi... > > > > The problem comes when you are mixing variables recieved from the HTTP > > request, and your own user variables. Consider the following code: > > > > function authenticate_user(){ > > if($password == 'secret'){ > > $authenticated = 'yes'; > > } > > return $authenticated; > > } > > > > If someone passes the variable authenticated=yes in the url request > > string, the user will be authenticated no matter whether their password > > matches or not. This is obviously a simplified example, and I'd hope > > that no programmer would ever do this, but things like have been known > > to happen, and there have already been exploits for it. > > > > The logic behind the change is that it is really not much extra work to > > type $_GET['something'] than just $something, and it is infinitely more > > secure - so you should write your scripts using the $_REQUEST variables > > whenever possible. > > > > Hope that helps... > > > > Matt > > > > "Then" <[EMAIL PROTECTED]> wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >> Hi All > >> > >> I am a PHP newbie. I don't understand why global variables are turned > >> off > > by > >> default in PHP4.2.0... something to do with security. Could some one > > please > >> help me understand how it's a security issue. Thanks > > > > > > > > > > -- > Lots of Luck > theN > [EMAIL PROTECTED] -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
