> Take for example the value of magic_quote_gpc. To be sure that your
script
> will work correctly, don't assume that it is alywas on (or off). So
> you can write
>
>
> if (!get_magic_qoute_gpc()) addslashes($var);
>
> or write a function myaddslashes that does the same thing.
Right. I don't like magic qoute at all. I think this feature is
encoraging to write insecure code for PHP users. I mean magic quote
feature hides a little security issue, but it seems the feature makes
difficult to understand why and how unquoted strings can be dangarous
in scripts for many PHP users. It's confusing for new users. It also
slows things down a little, since I need to check if the feature is
turned on or off, do stripslashes() when escape is not needed if it is
on. I wish this feature is going to disapper in next major release, at
least default to off.
> Is this staement safe ?
>
> eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');
>
> I've tried different kind of inputs to execute arbitrary php code,
but found
> no such exploit. Maybe you can see something that I can't.
If you are sure one of them is actually loaded from DB or else and if
your code checks null values for system's value, it's safe.
BTW, are you using CHAP like method for password? If your code
doesn't, I suggest to use it.
Regards,
--
Yasuo Ohgaki
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
