register_globals = On
rudy at taytek.com
Fri Mar 21 19:32:31 EST 2003
I built a web application several years ago that is still very much alive
and well now. My server environment has always been Linux, Apache,MySQL,
and PHP. I just recently install PHP and MySQL on a Windows 2000 server
running IIS. After moving some code over I discovered the PHP.ini file and
its use of the register_globals flag. I now realize that I have created
considerable code that relies on this flag being on. My concern is about
the security exposure with globals on.
I have relied on the globals in two areas, Session variables and Post data
from forms. With session variables I used session_register, and with Post
data I simply expected to have PHP make the variables available to me
without having to step through the $HTTP_POST_VARS array.
For me to migrate the Session variables to $_SESSION['element'] would be
work, but doable. To handle all the Post vars is another story.
Has anyone else been faced with this issue and if so how did you address it.
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/03
More information about the talk