On Fri, 10 May 2002, Patrick Hsieh wrote: > php4.1 recommends to set register_globals=off in php.ini to make php > more strict. My question is, if I turn off register_globals, what will > happen if any malicious user just try to modify the variable values in > the url? Say, > > http://www.domain.com/xxx.php?id=3&sex=female > > Does it work if user just change the value in the URL directly and send > the url directly to web server? > > How can we avoid the malicious attack by directly http GET/POST with > modified parameter values to make possible system error or compromise?
If register_globals is off, then you'll get $_GET['id'] = 3 and $_GET['sex'] = female. It's then up to you to make sure those are okay. But at least $id and $sex won't get set until you explicitly set them in your code. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
