-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not worried about them using the query string for malicious purposes- I have register_globals off... I'm worried about someone messing with their cookie and sedding authorized to true- that _will_ change my $_SESSION variable, unless I can find some way to ignore cookies, which brings us back to my original question- how do i ignore all client input, _especially_ cookies???
On Wednesday 27 November 2002 01:28 pm, you wrote: > At 22:17 27.11.2002, Van Andel, Robert said: > --------------------[snip]-------------------- > > >On the other hand, I use only one query, searching for the username. I > > had experimented with other methods but did not find anything that I felt > > gave me great security. Using a session variable that says the person is > > logged in can be placed into a query string therefore bypassing the > > authentication process > > --------------------[snip]-------------------- > > That's the main issue why register_globals is off by default since 4.2. If > you don't use register_globals, your $_SESSION array is safe from > intruders; only your script can set it from within your session. If any > malicious guy passes a query variable ?$_SESSION['authorized']=true, this > will only show up in the $_GET array, nowhere else. A print_r() of $_GET > with this query string gives: > > $_GET = Array ( > [$_SESSION] = Array ( > ['authorized'] = 1 > ) > ) > > You might want to check out > > http://www.php.net/manual/en/security.registerglobals.php > > to read about the security issues involved. Basically having > register_globals set to on allows an arbitrary user to implant variables of > their choice into PHP, making any script more than unsafe. Having it > switched off allows YOU to control the data that you work with - an > absolute MUST unless you're begging for trouble, IMHO. - -- The public have an insatiable curiosity to know everything. Except what is worth knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their demands. - -Oscar Wilde -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95UXI/rncFku1MdIRAgv/AJoDF1LfkUksKCUKvIniEqgXeBQPQgCaAvWI 1xOcGGd1wWdYu6P9mYtjOlc= =Dv1o -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
