Hello, on 06/17/2006 08:35 PM Rory Browne said the following: >> So, a secure application always has to validate values from client side >> originated variables, independently if the values were retrieved from >> $_GET, $_POST, $_COOKIE or $_REQUEST . > > > You should always validate ALL external variables. That is what I said! ;-) > As for server side originated variables, these do not need to be >> validated if you get them from $_SESSION, $_SERVER and $_ENV . > > > THIS IS NOT TRUE. > > Some $_SERVER variables can be influenced by the client ( eg > $_SERVER['PATH_INFO'], being one example) (same for $_ENV) Sure, that is true, I was not thinking of variables associated with the HTTP request itself, but rather other that are constant Web server wide. > $_SESSION validation is equally important, but slightly different. You need > to make sure ( for example ) that your sessions aren't being hijacked. That is another story. Still, the point here is that you can have register globals turned on and safely read session variables from $_SESSION without further validation because the session variable values were once set by the server side application, you do not need to validate them on each request like client side originated variables. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php