> And what should these precautions be? If a malicious user can submit > his own form and you are looking for a POST variable, how can you > ensure that $admin came from your form and not that user's?
The problem is when a cracker uses form variables in an attempt to set the values of "flag" variables kept only in the session, for example, $isAdmin. As far as the form variables *you* put in your form, it doesn't matter whether the user submits your form or a form they made themselves. Those form variables are just data you are trying to collect. With register_globals on, PHP takes *all* variables (GET, POST, COOKIE) received from the client and assigns them to global variables. So if the user posts a value for $isAdmin, she can give herself admin privileges. The key is to retrieve *only* the form variables *you* put in the form from the the $_POST array. So don't write a loop and grab *everything* from that array. Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
