OK, so I was really bored today and started reading through some PHP security stuff starting with the php.ini-recommended and found the register globals off stuff. So you don't have to find it yourself, here's a direct lift from the file:
; This is the recommended, PHP 4-style version of the php.ini-dist file. It ; sets some non standard settings, that make PHP more efficient, more secure, ; and encourage cleaner coding. ; The price is that with these settings, PHP may be incompatible with some ; applications, and sometimes, more difficult to develop with. Using this ; file is warmly recommended for production sites. As all of the changes from ; the standard settings are thoroughly documented, you can go over each one, ; and decide whether you want to use it or not. ; ; For general information about the php.ini file, please consult the php.ini-dist ; file, included in your PHP distribution. ; ; This file is different from the php.ini-dist file in the fact that it features ; different values for several directives, in order to improve performance, while ; possibly breaking compatibility with the standard out-of-the-box behavior of ; PHP 3. Please make sure you read what's different, and modify your scripts ; accordingly, if you decide to use this file instead. ; ; - register_globals = Off [Security, Performance] ; Global variables are no longer registered for input data (POST, GET, cookies, ; environment and other server variables). Instead of using $foo, you must use ; you can use $_REQUEST["foo"] (includes any variable that arrives through the ; request, namely, POST, GET and cookie variables), or use one of the specific ; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending ; on where the input originates. Also, you can look at the ; import_request_variables() function. ; Note that register_globals is going to be depracated (i.e., turned off by ; default) in the next version of PHP, because it often leads to security bugs. ; Read http://php.net/manual/en/security.registerglobals.php for further ; information. I understand that this applies to data put into a form to be submitted to a database (or another page, I guess), but does it also apply to variable/value pairs passed along the URL from a hyperlink (<a href="foo/bar.php?thisVar=thisVal>Click here.</a>)? I couldn't quite get it from the explanation above. Would I need to reference the passed variable with $_GET["thisVal"] on the receiving page (bar.php)? I'm sure I would have to if $thisVar was passed from a form with the GET method, but wasn't sure about the hyperlink stuff. Anybody working with register globals off already that can clear this up? Thanks, Rich -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
