--- [EMAIL PROTECTED] wrote: > Yes but register_globals carries substantial security risks since a > hacker can then set any script variable they wish merely by POSTing it > back in response to your form.
The risk is no greater than what the original poster wants to do anyway: $foo = $_POST['foo']; Whether $foo is created by register_globals being enabled or by the previous code, there is no difference in risk. The data should still be considered tainted until it has been properly validated, and disabling register_globals does not excuse you from performing this step. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
