Won't this topic just die? :) register_globals is not insecure, users are insecure. Yes, you can write insecure code with it on or off, and secure code with it on or off. By users I mean people who write code, and people who use it (the evil users are the ones that use the website, and pass along evil REQUEST data).
In short, read these: http://www.php.net/variables.external http://www.php.net/security.registerglobals It should be pretty clear that register_globals = off is preferred but it's up to you, this is why we have PHP directives. Turning of your computer is indeed the ideal security measure! Regards, Philip On Thu, 12 Jun 2003, Jim McNeely wrote: > I'm a bit of a neophyte with php, and I've read through lots of prior > posts and the php.net online docs, but some of this is still not > registering in my head. TIA for your patience. > > I've got a script I include at the head of each of my scripts that > checks $_POST['username'] and $_POST['password'] against a database, > and exits to an error page if it doesn't check out. Every link is a > post where it passes these two values. So if you open any page in the > whole thing it has to have the actual value of a real username and > password or it exits to an error page asking for these values. > > This seems to have been working fine, but when I installed a newer > version of php it started making noise about register globals being > off. Upon further reading, it seems SESSIONS are insecure, COOKIES are > insecure, POSTS and GETS are insecure. It seems to me that you would > have to write some exceptionally stupid code for these things to be > really openly insecure, so I must be missing something. > > After a point it seems like if you leave your machine off or disconnect > it from the network that would be the most secure but you have to pass > this info somehow. What is the accepted practice for passing user info > into variables? > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
