can you explain why register globals is a big security risk?? if you have register globals on and a user goes to http://www.site.com/index.php?visitor=10 $visitor is set to 10 so yes they can change the integer for visitor but even with register globals off they can change it there too. cause you script just does $_POST['visitor'] it still retrieves the same value from the querystring, that is unless you use GET instead of POST also which is better and more secure to use GET or POST??? Joe Crawford Jr. On Sun, 18 May 2003 11:58:01 +0100, stephen.edmonds5@btinternet.com (Stephen) wrote: >Of more use is probably a description of how things now work. Register >Globals represents quite a large security risk to PHP scripts as it allows a >visitor to your site to define the value of ANY variable. Instead, there are >now a fixed number of "super global arrays". Rather than defining lots of >individual variables, all pre-script defined variables are put into one big >array. Its easier to understand with an example > >A user goes to http://mysite.com/index.php?visitorid=10 > >with register globals, this defines $visitorid as '10' > >without register globals, the only way to access this data is by using >$_GET['visitorid'] > >The later example is the preferd use, I strongly suggest learning to use it. >BTW, you are using the same book I used! I thought it was quite a good one, >although since then i've picked a lot up from the php manual and this >helplist. > >$_POST[''] for all post variables - eg <form method="POST"> >$_GET[''] for all get variables, that is variables from the url (as above) >$_SESSION[''] for all session variables. Sessions have changed a lot since >the book was written. > >Those are the three main ones. I would give you a link to the correct page >in the php manual but it appears to be down at the moment! > >Stephen > >----- Original Message ----- >From: "Jim George" <jim.george@blueyonder.co.uk> >To: "Jennifer S." <jennifer_p_s@yahoo.com.au>; <php-windows@lists.php.net> >Sent: Sunday, May 18, 2003 8:26 AM >Subject: RE: Problem with $GLOBALS > > >> Jenifer, >> >> thanks for that, worked beautifully. >> >> Jim >> -----Original Message----- >> From: Jennifer S. [mailto:jennifer_p_s@yahoo.com.au] >> Sent: 18 May 2003 05:43 >> To: Jim George; php-windows@lists.php.net >> Subject: Re: Problem with $GLOBALS >> >> >> The book assumes that you have "register globals" set to "on" in your >> php.ini file. By default it's off now. Change it to "on" and you should be >> OK. >> >> Cheers, >> Jennifer >> >> >> Jim George <jim.george@blueyonder.co.uk> wrote: >> Folks, >> >> I'm a total newbie with PHP and I've been working through "SAMS Teach >> yourself PHP in 24 hours". >> I got to Hour 9 where they introduced the concept of predefined >> variables >> and the $GLOBALS variable. Neither of these appear to work generating >> all >> sorts of errors. >> Please find below a listing. Can someone help me please? >> Thanks. >> >> Jim >> >> >> print " >> Let's try that loop again >> "; >> $user1="Harry"; >> $user2="Mary"; >> $user3="Bob"; >> >> foreach($GLOBALS as $key=>$value){ >> print "\$GLOBALS[\"$key\"] == $value"; >> } >> ?> >> >> >> >> >> -- >> PHP Windows Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> >> >> >> >> -------------------------------------------------------------------------- -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
