Okay, true. But they key here is the "act accordingly", meaning you sanitize and validate the variable before using it anywhere.
Sometimes the way it's represented is that just using $_GET['var'] is going to make things more secure than using $var, which is not the case unless you know what exactly $_GET['var'] contains and how you're using it. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -----Original Message----- From: Leif K-Brooks [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 8:15 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] variables?? No, it is more secure. The problem with register_globals is that ALL variables become global - not just the ones you want to be. Example: if(something) $authorized = true; if($authorized){ ...do something requiring security... } A hacker could easily go to script.php?authorized=1, and gain access. If you only allow one variable in that ($_GET['var']), you will know that the variable is from an outside source, and can act accordingly. John W. Holmes wrote: It is considered more secure to declare the variable explicitly. $var = $_GET["var"]; Ummm... that's the same result as having register_globals on (basically). You're not helping anything and it's certainly not any more "secure". ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ I'm having a problem with form data being recognized by a php script. If I send information with a GET the variable data appears in $GET[var] but not $var. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
