On Thu, 2002-02-21 at 22:31, K.Tomono wrote: > Hi there. > > This must be a curious question, but I want to know...
Globals, and register_globals = on, are insecure for exactly this reason. This is why new versions of PHP will default to register_globals = off, and why it's a good idea to use register_globals = off in any case. For more discussion of this issue, please read the following: http://www.php.net/release_4_1_0.php Cheers, Torben > Recently I've checked several globals, how it is overwritten. > > the globals are $PHP_SELF and $PHP_AUTH_USER. > > the first time, $PHP_AUTH_USER. > This is overwritten by the http GET values when such a following uri. (and > Post will be so.) > http://foo.bar.com/test.php3?PHP_AUTH_USER=CRACK > > This case is tested under PHP Version 3.0.18-i18n-ja-2. > > but is not overwritten under PHP Version 4.0.3pl1 > > > the second, $PHP_SELF. > This is not overwritten by the http GET values when such a following uri. > http://foo.bar.com/test.php3?PHP_SELF=CRACK.php > > This is true both under PHP Version 4.0.3pl1 and PHP Version > 3.0.18-i18n-ja-2 > > > the difference is probably that PHP_AUTH_USER is value from http request > originally > (="Authorization" header), but PHP_SELF is server side, I think. > > though, such above behavior with each global is the intended spec of PHP? > Or Simply by the order of the evaluation in internal for these values? > > > I tested with my test servers. > my test server configuration, php.ini is defined with each > > PHP3: register_globals (none. not defined.) > PHP4: register_globals = on > > I've cheked with phpinfo() also. > > > Any opinion will be appreciated. > Thanks. > > ----------------------- > K.Tomono > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Torben Wilson <[EMAIL PROTECTED]> http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
