what I don't understand is if $_GET is being used people can just change the URL anyway so why is it an issue?
Ben
All that it is about that if you have code like this:
if($user=='admin' && $pwd=='secretpassword') {
$admin=true;
}and register_globals on someone can pass a get (or to have it more confortable cookie) variable and gain admin access. Sure, you should initialize all your variables with safe values and you are fine:
$admin=false;
if($user=='admin' && $pwd=='secretpassword') {
$admin=true;
}-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
