Matt Monaco wrote:
Somewhat, but its what you need to do for the post and get arrays to work.
<snip>
No. Things like $_POST and $_GET are global arrays and work regardless
of the register_globals setting. The information you're handing out
above is wrong and dangerous.
</snip>
What you need to do is make sure check the values in the global variables
before you use them. For example if on one page you have a form for a user
signup and <input type=text name='userName'> on the next page
$_POST['userName'] should be checked for things like quotes and other
characters that will alter your SQL statement before you actually INSERT
that value into your table.
ie they should be sanitized. Things like mysql_real_escape_string() or
adding slashes (depending on your magic_quotes setting) should be done
prior to inserting any data. Also, you should check to ensure that it's
the data you expect; if you only allow usernames to contain
alpha-numeric characters, then you should check for that. Toss is out
if it contains something else.
Best rule of thumb: Never trust user input, regardless of the
register_globals setting.
--
By-Tor.com
...it's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
