Register globals essentially takes the value of $_SESSION['foo'] and creates $foo. It does the same thing for GET, POST, COOKIES, etc.
The problem here is that you have no way of telling if $foo was a POST variable, GET, SESSION, or whatever. So, I can choose to append ?admin=1 to one of your URLs, and if you do not do any checking or variable initialising, it might be possible for me to fake myself as a user with admin clearance, or anything else that would be considered a risk. The super global arrays like $_SESSION exist, and can be used, regardless of whether register globals is on or off. If you start relying on $_SESSION['foo'] rather than $foo, $_POST['bah'] instead of $bah and $_GET['xyz'] instead of $xyz, you've made a great start. You should be able to use $_SESSION right now, but be aware that the manual says if you choose to use $_SESSION, then you should stop using functions such as session_register(). The next logical step would be to manually turn off register globals for your site, using a directory-level .htaccess file in your document root. An example of this file would be: --- <IfModule mod_php4.c> php_flag register_globals off </IfModule> --- Do a whole bunch of testing on your LAN, make any changes you need to make to your code, perhaps turn the error reporting to the highest level (E_ALL) to see what warnings you get, then try the same on your live server. Justin on 29/05/03 3:18 AM, Pushpinder Singh Garcha ([EMAIL PROTECTED]) wrote: > SInce register_globals() is ON on my server, I need to be able to > figure out a way to ensure session security. > Another question I had was that, with register_globals() ON can I > still use the $_SESSION to set my variables ? I want to avoid recoding > the entire application, so I want to see what can be done to enhance > security with the current setup. > > Does the super-global array approach i.e. $_SESSION work, irrespective > of the fact that REGISTER_GLOBALS is ON / OFF ? > If I start setting session variables in the $_SESSION array from now > on, will it improve the security of the session. I am a newbie in PHP > session handling and am sorry if any of the above questions sound > extremely lame. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php