> For more discussion of this issue, please read the following: > > http://www.php.net/release_4_1_0.php > Thanks Lars Torben, but one more question please.
There is "variables_order" in php.ini, Is this very important thing concerned with this issue? Regards :) K.Tomono > -----Original Message----- > From: Lars Torben Wilson [mailto:[EMAIL PROTECTED]]On Behalf Of Lars > Torben Wilson > Sent: Friday, February 22, 2002 3:40 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] overwriting PHP_SELF and PHP_AUTH_xxxx > > > On Thu, 2002-02-21 at 22:31, K.Tomono wrote: > > Hi there. > > > > This must be a curious question, but I want to know... > > Globals, and register_globals = on, are insecure for exactly this > reason. This is why new versions of PHP will default to > register_globals > = off, and why it's a good idea to use register_globals = off in any > case. > > For more discussion of this issue, please read the following: > > http://www.php.net/release_4_1_0.php > > > Cheers, > > Torben > > > Recently I've checked several globals, how it is overwritten. > > > > the globals are $PHP_SELF and $PHP_AUTH_USER. > > > > the first time, $PHP_AUTH_USER. > > This is overwritten by the http GET values when such a > following uri. (and > > Post will be so.) > > http://foo.bar.com/test.php3?PHP_AUTH_USER=CRACK > > > > This case is tested under PHP Version 3.0.18-i18n-ja-2. > > > > but is not overwritten under PHP Version 4.0.3pl1 > > > > > > the second, $PHP_SELF. > > This is not overwritten by the http GET values when such a > following uri. > > http://foo.bar.com/test.php3?PHP_SELF=CRACK.php > > > > This is true both under PHP Version 4.0.3pl1 and PHP Version > > 3.0.18-i18n-ja-2 > > > > > > the difference is probably that PHP_AUTH_USER is value from > http request > > originally > > (="Authorization" header), but PHP_SELF is server side, I think. > > > > though, such above behavior with each global is the > intended spec of PHP? > > Or Simply by the order of the evaluation in internal for > these values? > > > > > > I tested with my test servers. > > my test server configuration, php.ini is defined with each > > > > PHP3: register_globals (none. not defined.) > > PHP4: register_globals = on > > > > I've cheked with phpinfo() also. > > > > > > Any opinion will be appreciated. > > Thanks. > > > > ----------------------- > > K.Tomono > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > Torben Wilson <[EMAIL PROTECTED]> > http://www.thebuttlesschaps.com > http://www.hybrid17.com > http://www.inflatableeye.com > +1.604.709.0506 > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
