Re: [PHP] security benefits of predefined variables

2002-01-16 Thread Rasmus Lerdorf
> You can see where I'm going with this. > Experiments of mine with using array elements within SQL statements > brought some of my questioning to the list just last week. I found that > the following did not work: > > $sql = "SELECT table.column FROM table WHERE criteria LIKE > $myrow['variable'

Re: [PHP] security benefits of predefined variables

2002-01-16 Thread Erik Price
Okay, all of that discussion of predefined variables was well and good. I'm going through my code and changing everything over to use $_*['variablename']. The problem is that a good deal of my code consists of MySQL query statements with variables inside those statements. An example: $sql =

Re: [PHP] security benefits of predefined variables

2002-01-16 Thread Erik Price
Kirk, Okay, I now understand why the $_GET and $HTTP_GET_VARS variables are useful. I had made the mistaken assumption that if I leave "register_globals" on, but write code that works with "register_globals" off, my code would somehow be safer simply for having been written this way. But th

RE: [PHP] security benefits of predefined variables

2002-01-16 Thread Johnson, Kirk
I wrote: > > If you are careful, you can defend against Scenario 1 with > register_globals > > on, but you need to understand all the stuff that PHP is > doing with the > > data, and that is a fairly complicated picture. Your > application can still > > work even if you don't understand that p

RE: [PHP] security benefits of predefined variables

2002-01-16 Thread Rasmus Lerdorf
> If you are careful, you can defend against Scenario 1 with register_globals > on, but you need to understand all the stuff that PHP is doing with the > data, and that is a fairly complicated picture. Your application can still > work even if you don't understand that picture, and that is how uns

RE: [PHP] security benefits of predefined variables

2002-01-16 Thread Johnson, Kirk
> What is the purpose of the $_GET (or $HTTP_GET_VARS) > predefined variable? It seems that in the case of "get" variables, > malicious variables could still be set in the querystring and > even using > $_GET['variablename'] wouldn't be able to stop this from happening. > That is, from what

Re: [PHP] security benefits of predefined variables

2002-01-16 Thread Erik Price
Kirk, That was enlightening, thank you. I think that I had better set register_globals OFF ! However there is still one last nagging question in my mind: What is the purpose of the $_GET (or $HTTP_GET_VARS) predefined variable? It seems that in the case of "get" variables, malicious varia

RE: [PHP] security benefits of predefined variables

2002-01-15 Thread Johnson, Kirk
Give this a read first, then come back if you still have questions ;) http://www.securereality.com.au/studyinscarlet.txt Kirk > -Original Message- > From: Erik Price [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 15, 2002 1:50 PM > To: PHP > Subject: [PHP] security benefits of pred