> Could someone explain what the following passage in php.ini means:
>
> You should do your best to write your scripts so that they do not require
> ; register_globals to be on; Using form variables as globals can easily
> lead
> ; to possible security problems, if the code is not very well thought of.
>
> If register_globals is off, does that mean you cannot access form variables
> by just referring to their name?
Correct
> And, if that is so, how do you pass
> information from forms to your action script?
They will be in the $HTTP_POST_VARS array. However, as long as you watch
what you are doing, leaving register_globals on is fine. Don't use
undefined variables and never pass stuff directly to any system() or file
operation functions without carefully checking your data.
Turning off register_globals and simply using $HTTP_POST_VARS everywhere
really doesn't help that much in this respect. POST vars are easily
spoofed, so don't think that just turning off register_globals will
suddenly make your scripts secure. It won't. Never trust user-supplied
data.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
