> If you are careful, you can defend against Scenario 1 with register_globals > on, but you need to understand all the stuff that PHP is doing with the > data, and that is a fairly complicated picture. Your application can still > work even if you don't understand that picture, and that is how unsecure > applications come about. With register_globals off, the data movement > picture is much simpler, and this is more of a "fail-safe" mode: if you > don't understand how the data moves around in PHP, your application simply > breaks ;)
In your scenario setting your error_reporting level to E_ALL will throw a warning when you use an uninitialized $admin variable. That will prompt you to initialize $admin correctly and thus be fine with register_globals turned on. I don't think it is quite as hard as everyone says to write register_globals-safe code. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]