On Fri, 10 May 2002, Ford, Mike [LSS] wrote: > Also, by using the $_POST, $_GET arrays, you know exactly where the > input is coming from (even if register_globals is also on!). If you > have register_globals set to on, and you just look to see if (say) > $password has a value, which you're expecting to come from a form field, > you can't actually tell whether it's been overridden by some > smarty-pants typing in the URL with ?password=super_password on the end. > If you check specifically for $_POST['password'], you at least have the > assurance that it's come from a form field as you were expecting.
This is a very false sense of security. Anyone with cURL (or even telnet) can trivially fake any POST or cookie inputs they want to. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
