Re: register_globals in php4
Hello "Christian G. Warden" <cwarden@xerus.org>,
Yes. But when a user type the url something like login.php?id=fakeid
Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right?
How do I avoid users affecting the system by changing the variable
values in the URL directly? If not, is there any way to protect myself
from malicious url injection attack?
On Thu, 9 May 2002 09:51:02 -0700
"Christian G. Warden" <cwarden@xerus.org> wrote:
> one of the php lists is probably a better forum for this question, but
> in short, register_globals=off means that if you want to use the "id"
> variable passed in the query string by the browser, you would access it as
> $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info
> at http://www.php.net/manual/en/language.variables.predefined.php
>
> xn
>
> On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
> > Hello list,
> >
> > php4.1 recommends to set register_globals=off in php.ini to make php
> > more strict. My question is, if I turn off register_globals, what will
> > happen if any malicious user just try to modify the variable values in
> > the url? Say,
> >
> > http://www.domain.com/xxx.php?id=3&sex=female
> >
> > Does it work if user just change the value in the URL directly and send
> > the url directly to web server?
> >
> > How can we avoid the malicious attack by directly http GET/POST with
> > modified parameter values to make possible system error or compromise?
> >
> >
> > --
> > Patrick Hsieh <pahud@pahud.net>
> > GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: