<quote who="Amanda Wynne"/>
> test-out.php?name=test
>
> the variable $name is empty.
>
> php 4.2.2 running as part of FoxServ 3.0 on a Windows machine.
You're using PHP 4.2, which means that the horribly silly and insecure
register_globals feature is now off by default. That's a good thing, please
don't change it! :-)
You need to change your use of the untrusted incoming data. Consider this
piece of code:
<?php
if (authenticate_user()) {
$authenticated = true;
}
...
?>
If a naughty person accessed that page with ?authenticated=true (in a GET
request, they could also do it with a POST to be a bit quieter about it),
they'd be authenticated, because the data from an untrusted source is not
checked.
You need to use one of $_GET, $_POST, $_COOKIE, etc. These are all described
in the PHP docs.
:-)
- Jeff
--
Interplanetary Pants
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
