On Wed, 4 Jun 2003, Leif K-Brooks wrote: > It's true that register_globals being on only makes sloppy code more > insecure. Most people aren't going to write perfect code, though. It's > incredibly annoying to have to unset every variable that shouldn't be > from an outside source. Even if you do so, it's very likely that you > will forget one variable on one page. It will, of course, be the > variable allowing admins to blow up a nuclear bomb over New York. :)
It's incredibly annoying to have to initialize your variables? This would be an example: for($i=0;$i<10;$i++) { $str .= $i; } Here, since you haven't initialized $str and you are appending to it, someone can inject something into $str via GET or POST data. To fix it, you have to make the code: $str = ''; for($i=0;$i<10;$i++) { $str .= $i; } Is that really what you find incredibly annoying? Even without register_globals, you should be initializing your variables this way. What if other parts of your code happened to use $str and left stuff in it you didn't expect? -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php