Re: register_globals in php4
one of the php lists is probably a better forum for this question, but
in short, register_globals=off means that if you want to use the "id"
variable passed in the query string by the browser, you would access it as
$HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info
at http://www.php.net/manual/en/language.variables.predefined.php
xn
On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
> Hello list,
>
> php4.1 recommends to set register_globals=off in php.ini to make php
> more strict. My question is, if I turn off register_globals, what will
> happen if any malicious user just try to modify the variable values in
> the url? Say,
>
> http://www.domain.com/xxx.php?id=3&sex=female
>
> Does it work if user just change the value in the URL directly and send
> the url directly to web server?
>
> How can we avoid the malicious attack by directly http GET/POST with
> modified parameter values to make possible system error or compromise?
>
>
> --
> Patrick Hsieh <pahud@pahud.net>
> GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: