On Tuesday 12 March 2002 12:27, Analysis & Solutions wrote: > > For security reasons. To make sure the variable did come from POSTing a > > form and not from the URL. > > Neither is more or less secure. The source of the data doesn't matter.
The source of the data *does* matter. That is why the latest releases of PHP (> 4.0.6) recommends having register_globals OFF by default. That is also why instead of the cumbersome $HTTP_POST_VARS[] (etc) it's been changed to a much shorter $_POST[]. And to further encourage you to use the new form, $_POST[], $GET[] etc have been made "super global" so they can be used directly inside functions without having to declare them as global. To see why the source of data matters, see the chapter "Security::Using Register Globals" > Regardless of where the info is from, validating user input is the only > way to ensure security. But if you don't know where the data came from then it's not secure. Consider a "real-life" example. Robin Hood steals the Sheriff's ATM card, and the Sheriff stupidly enough has written the PIN onto the back of the card. Now Robin can go and withdraw all the money from the Sheriff's account because the ATM has no way of knowing that the card was stolen (it doesn't know where the source of the data came from), all it knows is that the data is valid (right card, right PIN). -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk /* Let not the sands of time get in your lunch. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
