--- "Ryan Jameson (USA)" <RJameson@usa.ibs.org> wrote: > You are absolutely correct. However, the only value that security > "feature" has is in the case that the program really cares which > method the variable was received. I never have, and I doubt I ever > will. I have had cases where I thought I'd be concerned with this > but a rethink of the logic proved there was a better way. Even if I > am concerned with such an issue I can always check the post array > to make sure it is there. > > The decision to default to 'off' was a good one, but it only > protects certain types of programmers from accidentally creating > holes. I am a bit more deliberate, and see no security value in it > for myself. Therefore my installations remain > register_globals="on"... > > If you'd like to pass your username and password on a query string > be my guest, it'll work just fine. I don't recommend it though. > Actually, it's more than just checking for variables you expect. Let's say you have a variable in your script that is set before user data is parsed. Then you use extract() to pull all the variables out of the superglobals. If someone attaches a variable to a GET with the same name as a variable you've already set, then it will overwrite your variable if you have register_globals on or simply extract() all superglobals. A **trivial** example: <? $var1="Ryan"; // some set of PHP code extract($HTTP_GET_VARS); // or $_GET // more PHP code echo "Hello ".$var1; ?> If I add ?var1=Mark to the URL for this page, It will respond with "Hello Mark", not "Hello Ryan" as expected. Obviously I've oversimplified this. But I believe a big part of the the point of the superglobals was to eliminate the ability for a malicious user to overwrite values that the programmer didn't want to let them set. I don't mean to get into a debate over the value of register_globals being turned off. I do agree that for some it has value and for others it doesn't. I don't think being deliberate is the only test for whether there's use for it. Mark > <>< Ryan > > -----Original Message----- > From: Mark [mailto:mark_weinstock@yahoo.com] > Sent: Monday, December 09, 2002 10:51 AM > To: Ryan Jameson (USA); php-db@lists.php.net > Subject: RE: passing variables > > > > --- "Ryan Jameson (USA)" <RJameson@usa.ibs.org> wrote: > > I missed the part where he was using an image. Without a value > > property, I don't see how it could pass anything at all.... > > > > A note on my recent post, to emulate register_globals do this: > > > > if (!empty($_SERVER)) > > extract($_SERVER); > > > > if (!empty($_GET)) { > > extract($_GET); > > } else if (!empty($HTTP_GET_VARS)) { > > extract($HTTP_GET_VARS); > > } > > > > if (!empty($_POST)) { > > extract($_POST); > > } else if (!empty($HTTP_POST_VARS)) { > > extract($HTTP_POST_VARS); > > } > > > > > > This registers all of the different arrays. > > And completely nullifies the security value of having > register_globals turned off. But I guess if you don't have access > to > the php.ini file this is as good... > > > <>< Ryan > > > > > ===== > Mark Weinstock > mark_weinstock@yahoo.com > *************************************** > You can't demand something as a "right" unless you are willing to > fight to death to defend everyone else's right to the same thing. > -Stolen from the now-defunct Randy's Random mailing list. > *************************************** > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > ===== Mark Weinstock mark_weinstock@yahoo.com *************************************** You can't demand something as a "right" unless you are willing to fight to death to defend everyone else's right to the same thing. -Stolen from the now-defunct Randy's Random mailing list. *************************************** __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
