Friday, April 30, 2004, 5:37:15 PM, thus was written: > Hi, Even with register globals off isn't it possible to have a webpage > like this:
Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. > <html> > <head> > </head> > <h2>Hello, <?php echo $_SERVER['PHP_AUTH_USER']; ?> > <p>I know your password is <?php echo $_SERVER['PHP_AUTH_PW']; ?> > <body> > </body> > <html> > Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW > '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
