Messer wrote:

>Hello MGHz,
>
>
>
>In new versions of PHP (PHP 4.2.3 and higher) for reception of values
>transmitted to the form it's necessary to write:
>
>$Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
>or
>$Variable = $HTTP_POST_VARS ['var']; // Request Method - POST
>
>
>// example: http://host.com/script.php?var1=value1&var2=value2
>$Var_1 = $HTTP_GET_VARS['var1'];
>$Var_2 = $var2;
>// $Var_1 == "value1"
>// $Var_2 == ""
>
>Messer.
>
Actually that's just the default. As per
http://www.php.net/manual/tw/configuration.directives.php#ini.register-g
lobals
it is still possible to configure PHP to register global variables such
as $HTTP_POST_VARS['var'] as root level global variables, where your
above example would render $Var_2 == "value2". This is a directive set
in the php.ini file, and frequently required for reverse compatibility.
Setting register_globals to false in php.ini will circumvent many such
attacks, though it may break some scripts. The fact that it now
defaults to false will hopefully keep developers using $_POST, $_GET,
$HTTP_POST_VARS, and $HTTP_GET_VARS, which is far more secure.

-MightyE

[ reply ]