Re: register_globals in php4
one of the php lists is probably a better forum for this question, but
in short, register_globals=off means that if you want to use the "id"
variable passed in the query string by the browser, you would access it as
$HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info
On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
> Hello list,
> php4.1 recommends to set register_globals=off in php.ini to make php
> more strict. My question is, if I turn off register_globals, what will
> happen if any malicious user just try to modify the variable values in
> the url? Say,
> Does it work if user just change the value in the URL directly and send
> the url directly to web server?
> How can we avoid the malicious attack by directly http GET/POST with
> modified parameter values to make possible system error or compromise?
> Patrick Hsieh <email@example.com>
> GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com