On Wed, 4 Jun 2003, Leif K-Brooks wrote:
> It's true that register_globals being on only makes sloppy code more
> insecure. Most people aren't going to write perfect code, though. It's
> incredibly annoying to have to unset every variable that shouldn't be
> from an outside source. Even if you do so, it's very likely that you
> will forget one variable on one page. It will, of course, be the
> variable allowing admins to blow up a nuclear bomb over New York. :)
It's incredibly annoying to have to initialize your variables?
This would be an example:
for($i=0;$i<10;$i++) {
$str .= $i;
}
Here, since you haven't initialized $str and you are appending to it,
someone can inject something into $str via GET or POST data. To fix it,
you have to make the code:
$str = '';
for($i=0;$i<10;$i++) {
$str .= $i;
}
Is that really what you find incredibly annoying? Even without
register_globals, you should be initializing your variables this way.
What if other parts of your code happened to use $str and left stuff in it
you didn't expect?
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
