Re: register_globals in php4
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
> Yes. But when a user type the url something like login.php?id=fakeid
> Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right?
> How do I avoid users affecting the system by changing the variable
> values in the URL directly? If not, is there any way to protect myself
> from malicious url injection attack?
You don't avoid that. You can't avoid it. register_globals didn't
avoid it either and if you rely on such behvaiour then your application
is clearly very broken.
You should always check the data supplied to your CGI *very* carefully
for just this reason.
See for instance (randomly picked from google):
Simon [ email@example.com ] *\ "JarJar Binks^W^WSupport for \**
****** ]-+-+-+-+-+-+-+-+-[ **\ CRLF<->LF translation in the kernel \*
****** [ Htag.pl 0.0.19 ] ***\ must die." - Alexander Viro \
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com