Re: register_globals (was Re: PHP Security Hole)

Actually I just started recoding a little project
that's nearly done, to make it work without relying on
register_globals. Cleaning up hasn't been difficult
(these scripts aren't script too long and
complicated). If for example you have a variable
that's frequently referenced (such as $action,
signifying what the user is trying to do), just saying
$action = $_POST[$action] at the top takes care of it
nicely, too.

And of course there's that warm fuzzy feeling that
accompanies the knowledge that I'm doing things...
well, if not "right," better now than before (-:

Thanks much for the discussion and tips, it's been
helpful.


     David


--- Hank Marquardt <hmarq(at)yerpso.net> wrote:
> Yes this does open up all the problems that
> disabling register_globals
> fixes, but the issue is that it is a replacement for
> register_globals
> should it be removed from the language.
> 
> Basically a kludge to fix old code that no one wants
> to rewrite.
> 
> H
> 
> On Thu, Mar 07, 2002 at 06:33:21AM +1100, Kathy
> Wheeler wrote:
> > 
> > But wouldn't that open you up to the same security
> vulnerability that got
> > register_globals into trouble in the first plase -
> malicious data in
> > arbitrary variable names? Wouldn't it be safer and
> not too difficult to
> > specifically extract, test (and reassign) your
> known variables ?
> > 
> > KathyW.
> > 
> > On Thursday 07 March 2002 04:47, you wrote:
> > > The hack is easy --
> > >
> > > extract($_POST);
> > > extract($_COOKIES);
> > > extract($_GET);
> > > extract($_SESSION);

David Mintz
Spanish Interpreter, US District Court
Southern District of New York
Web Design & Hosting http://dmintzweb.com/
Personal http://panix.com/~dmintz/



__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

HWG: hwg-languages mailing list archives, maintained by Webmasters @ IWA