ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Ten Security Checks for PHP, Part 1
Subject:   Register Globals on
Date:   2003-05-22 23:55:36
From:   clancymalcolm
Response to: Register Globals on

It IS possible to write "secure" PHP applications with register globals turned on - it is just harder than if they were turned off. For example, a couple of years ago I discovered a security flaw in PHPShop where you could bypass their authentication system by passing it some values in the URL that set global variables to fool it in to thinking you were logged in. It was possible to fix this problem by making sure the variables were explicitly unset in the code before checking the authentication, but the problem never would have occurred if register_globals was turned off.


Hope this helps.


Cheers,
Clancy


1 to 1 of 1
  1. Register Globals on
    2003-05-26 04:42:37  anonymous2 [View]

    • Register Globals on
      2003-05-26 11:13:56  anonymous2 [View]

      • Register Globals on
        2007-03-01 11:52:54  andrwe [View]

        • Register Globals on
          2008-07-01 11:13:49  davidrrm [View]

        • Register Globals on
          2007-03-01 14:10:51  Clancy Malcolm | O'Reilly Author [View]

      • Register Globals on
        2003-09-26 17:58:53  anonymous2 [View]

1 to 1 of 1