[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: register_globals in php4

On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
> Yes. But when a user type the url something like login.php?id=fakeid
> Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right?
> How do I avoid users affecting the system by changing the variable
> values in the URL directly? If not, is there any way to protect myself
> from malicious url injection attack?

You don't avoid that.  You can't avoid it.  register_globals didn't
avoid it either and if you rely on such behvaiour then your application
is clearly very broken.

You should always check the data supplied to your CGI *very* carefully
for just this reason.

See for instance (randomly picked from google):

Simon  [ huggie@earth.li ] *\          "JarJar Binks^W^WSupport for  \**
****** ]-+-+-+-+-+-+-+-+-[ **\   CRLF<->LF translation in the kernel  \*
****** [  Htag.pl 0.0.19 ] ***\           must die." - Alexander Viro  \

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: