>> But I'm not
>> using eval()
>> directly on user entered data, and I can't see where it is possible.
Yes, you are.
pass1 is coming from the user, is it not?
You are using eval() to decide if pass1 and pass2 are equal, are you not?
You are therefore directly eval-ing user code.
> "register_globals=off" in your php.ini and use $HTTP_*_VARS.
Sigh. This does *NOT* provide *ANY* protection *WHATSOEVER*.
The user can *STILL* POST malicious data, and you are *STILL* going to
eval() it.
I dunno *WHY* so many people are running around saying register_globals Off
and HTTP_xxx_VARS makes your data "safe".
IT DOESN'T.
It *ONLY* keeps a hacker from using GET URL's to over-write POST data, which
they can edit in a text editor and send any damn thing they want anyway.
(And vice versa.) Ditto for COOKIE data.
It does *NOT* stop a hacker from using GET/POST to initialize variables that
were never set. Turn on E_NOTICE, damnit.
I REPEAT:
register_globals off and HTTP_xxx_VARS being more "secure" is a gross
exaggeration.
It will only trip the dumbest of the dumb trying to crack your site -- We're
talking lower than script-kiddies. Think Joe Sixpack and Betsy Buick here.
Normal users who have noticed those funky things in URLs and decided to play
around with them on FORMs to see what they can do.
A *REAL* script-kiddie (did I just say that?) would take your HTML FORM,
edit it in NotePad, and then POST their malicious data and your
HTTP_POST_VARS have *bad* things in it.
--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
