> I don't think this is much of a problem. I unset() all the global
session
> variables before I use them so this should be no problem.
All inputs (GET/POST/COOKIE) from users must be checked if you worriy
about security. You might done already.
> Even if an attacker tries to set some value for a script variable,
this var
> will be unset() and then read from the session, so no harm is done.
>
> On the other hand there should be no probelem to change GLOBALS to
> HTTP_XXX_VARS.
The reason why I recommend to set register_globals=off, is it's a lot
easier to write secure code with register_globals=off.
I also recommend you use error_reporting=E_ALL, since it seems you
care about security. Scripts that I write will catch all
error/warning/notice as fatal error and displays a page telling "There
is critical error. Details are sent to system administrator." They
catch most of errors including malformed user inputs, system errors
like cannot open connections, etc and display appropriate error page.
They never raise any PHP error/warning/notice unless there is
something really wrong.
By the way, my codes posted at zend.com will not catch all errors. I
didn't put complete sources there. It will be too long for an example
:)
> But as i've said this isn't a problem. Can you see some way to
exploit the
> eval() function ?
I cannot tell if your script is exploitable or not.
Just too little info to tell that.
Refer to another my reply, I guess you'll get my point.
Regards,
--
Yasuo Ohgaki
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
