steve wrote: > Jason Wong wrote: > >> With register_globals enabled, the problem is not with the $_POST, $_GET >> etc variables (although yes you should always validate data when they >> come >> from untrusted sources). The problem is that malicious users can pollute >> your namespace and if you do not initialise variables properly before >> using them your application can be compromised. On the contrary, with register_globals enabled, the problem *IS* with $_POST, $_GET etc variables being polluted! That is the very definition of the problem register_globals was designed to solve. Turning register_globals OFF simply corrals the pollution so that it's *ONLY* in $_POST/$_GET/$_REQUEST/etc instead of automatically being spewed throughout the global name space of all variables. If you blindly walk through POST/GET, or use extract on them, or do something that turns *EVERY* POST/GET entry into a variable, you might as well turn register_globals ON -- Otherwise, your OFF setting is only providing you with a false sense of security, which is worse than no security at all. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
