I will look into it. I still consider my self a newbie in the process having picked up a book back in February and learning to do it. I haven't gotten into using things like $_SESSION[] and similar with posting forms. Thanks.
Robbert van Andel =============================== Network Operator NW Regional Operations Center Charter Communications ROC Phone: 866-311-6646 Desk Phone: 360-828-6727 email: DL NW ROC =============================== -----Original Message----- From: Ernest E Vogelsinger [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 1:28 PM To: Van Andel, Robert Cc: Evan Nemerson; [EMAIL PROTECTED] Subject: RE: [PHP] ignoring client supplied session data At 22:17 27.11.2002, Van Andel, Robert said: --------------------[snip]-------------------- >On the other hand, I use only one query, searching for the username. I had >experimented with other methods but did not find anything that I felt gave >me great security. Using a session variable that says the person is logged >in can be placed into a query string therefore bypassing the authentication >process --------------------[snip]-------------------- That's the main issue why register_globals is off by default since 4.2. If you don't use register_globals, your $_SESSION array is safe from intruders; only your script can set it from within your session. If any malicious guy passes a query variable ?$_SESSION['authorized']=true, this will only show up in the $_GET array, nowhere else. A print_r() of $_GET with this query string gives: $_GET = Array ( [$_SESSION] = Array ( ['authorized'] = 1 ) ) You might want to check out http://www.php.net/manual/en/security.registerglobals.php to read about the security issues involved. Basically having register_globals set to on allows an arbitrary user to implant variables of their choice into PHP, making any script more than unsafe. Having it switched off allows YOU to control the data that you work with - an absolute MUST unless you're begging for trouble, IMHO. -- >O Ernest E. Vogelsinger (\) ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
