That would be easy to solve by just adding a non_overwrite flag to the vars and thrus forbid the vars from get/post to override vars in the varspace that come from programming and not from get/post...
One would keep the global vars but would also have the security of the existing/declared vars be protected from overwrite (only get/post vars would be allowed to be overwriten between page initializations)... Cheers, Luis Ferro Matt Parlane wrote: >Posting the variables might solve the problem in this case, but remember >that this is just an example, and I'm sure any creative mind could come up >with a whole heap of ways you could exploit something like this. > >On the other hand though, you don't have to use it. If you are confident >you can write an application without using the new superglobal arrays (and >it is conceivably possible), you can just turn register_globals on. It's >just a choice which was made by the PHP developers (rightly so I believe). > >Matt > >"Then" <[EMAIL PROTECTED]> wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > >>Hi >> >>At the cost of sounding dense...wouldn't POSTing the variables solve the >>problem. Then the user would not see them in the URL. >> >> >>[EMAIL PROTECTED] (Matt Parlane) wrote in >>[EMAIL PROTECTED]:">news:[EMAIL PROTECTED]: >> >> >> >>>Hi... >>> >>>The problem comes when you are mixing variables recieved from the HTTP >>>request, and your own user variables. Consider the following code: >>> >>>function authenticate_user(){ >>> if($password == 'secret'){ >>> $authenticated = 'yes'; >>> } >>> return $authenticated; >>>} >>> >>>If someone passes the variable authenticated=yes in the url request >>>string, the user will be authenticated no matter whether their password >>>matches or not. This is obviously a simplified example, and I'd hope >>>that no programmer would ever do this, but things like have been known >>>to happen, and there have already been exploits for it. >>> >>>The logic behind the change is that it is really not much extra work to >>>type $_GET['something'] than just $something, and it is infinitely more >>>secure - so you should write your scripts using the $_REQUEST variables >>>whenever possible. >>> >>>Hope that helps... >>> >>>Matt >>> >>>"Then" <[EMAIL PROTECTED]> wrote in message >>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >>> >>> >>>>Hi All >>>> >>>>I am a PHP newbie. I don't understand why global variables are turned >>>>off >>>> >>>> >>>by >>> >>> >>>>default in PHP4.2.0... something to do with security. Could some one >>>> >>>> >>>please >>> >>> >>>>help me understand how it's a security issue. Thanks >>>> >>>> >>> >>> >>> >> >>-- >>Lots of Luck >>theN >>[EMAIL PROTECTED] >> >> > > > > > -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
