Hi Richard,
I guess you miss my point. I always suggest to check all user inputs
(GET/POST/COOKIE), they are all unsafe unless they are checked. Anyone
can spoof these variables easily with little knowledge and attackers
do not have to be experienced to attack PHP scripts. Elementally
school kids can attack effectively poorly written codes :)
Take a look at my tip at zend.com that is posted months ago
http://www.zend.com/tips/tips.php?id=195&single=1
(There are many reasons why PHP user should set register_globals=off,
enable_track_vars=on default from PHP4.0.3, error_reporting=E_ALL.
With these settings, writing secure code is a lot easier. In addition,
register_globals=off would be default for PHP4.1 or PHP5.0. )
and
Recent discussion in php-dev list. There is long thread regarding
register_globals and others. This is one of them. The thread is really
long.... So I didn't bother to find the first one.
http://marc.theaimsgroup.com/?l=php-dev&m=99631966717767&w=2
will see what I mean.
It needs too many typing to explain fully...............
Regards,
--
Yasuo Ohgaki
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
