[snip] If you code properly, you could get away with turning register_globals on, but this requires you to be very careful when thinking about the logic of your code. [/snip]
I really do hate to see the misconception about register globals continue. The bottom line is variable handling, especially where variables are passed via the GET form method (which places key=value pairs in the URL, making them highly visible). All variables should be tested for improper formation (with rg ON or OFF) if these variables arrive from an outside source. Consider the example http://www.yourserver.com/login.php?authorized=true If rg is on the value of $authorized == "true" If rg is off the value of $_GET['authorized'] == "true" In this case the programmer will be testing (either one) for "true", and placing login information in the URL is just bad form. The real problem comes with things like SQL injection (Much too much info for this e-mail, I suggest some searching and reading, Google is your friend). Consider the following URL http://www.yourserver.com/login.php?username=hi'%20OR%201=1-- This not only returns true (which should log the user in) but also might return the complete list of usernames. It doesn't matter whether rg is on or off if no validation is done on the variables being passed. With register globals off the programmer is given an advantage, that advantage being the knowledge of the origin of the variable. If it is in the $_GET array we know where it came from. Likewise with the other predefined variable arrays. What should you do? Initialize all variables. If variables arrive via an outside source (with rg ON you could call you variables names dependent upon the form method, such as name="getUserName" which becomes $getUserName) validate them properly before use and reject them if wrong. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
