> Or turn off Register_global, and then MODULES_DIR would only exist in
> $_GET. I chalk this one up to a bad PHP configuration:
> While it would not stop attacks that could cause you to include stuff
> if other variables are not checked before blindly being used from the
> $_POST and $_GET arrays, however the attack you just mentioned is
> null and void.
> If you are running with register_globals on, you should seriously re-
> consider. It will be deprecated, and I can't wait for it to finally
> be gone, then script writers will have to learn how to use the
> array's that were meant for that sort of data.
> Bert JW Regeer
Yes, register_globals was turned on and consiquently turned off, but
thats no excuse for not protecting the vars.