Re: register_globals (was Re: PHP Security Hole)
by Kathy Wheeler <kathyw(at)home.albury.net.au>
|
Date: |
Thu, 7 Mar 2002 06:33:21 +1100 |
To: |
hwg-languages(at)hwg.org |
|
todo: View
Thread,
Original
|
|
But wouldn't that open you up to the same security vulnerability that got
register_globals into trouble in the first plase - malicious data in
arbitrary variable names? Wouldn't it be safer and not too difficult to
specifically extract, test (and reassign) your known variables ?
KathyW.
On Thursday 07 March 2002 04:47, you wrote:
> The hack is easy --
>
> extract($_POST);
> extract($_COOKIES);
> extract($_GET);
> extract($_SESSION);
>
> see http://www.php.net/extract
>
> Magically it works as if register_globals=on
-------------------------------------------------------
HWG: hwg-languages mailing list archives,
maintained by Webmasters @ IWA