yeh, I'd strongly agree with Jonathan's view that quality of the code can mitigate against the dangers of register_globals.
FYI, an interesting article on php vulnerabilities is at: http://www.securereality.com.au/studyinscarlet.txt David Eisenhart "Jonathan Pitcher" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sam, > > The register_globals can be dangerous to turn on but it really depends > on the quality of code that the shopping cart was written. See > Examples below for explanation. > > > Say you had a script that looked like this. > > > <?PHP > > $Q = "Select * from Stored CreditCards where User='$User'"; > ..... Retrive info from DB > ..... Charge Credit Card > ..... Do Other Stuff. > > ?> > > With register_globals = on the I could do the following to the URL and > force the systsem to bill someone else. > > chargecredit.php?User=Joe > > Basically if register_globals = off protects you from that type of URL > hacking. > > It just depends on how it is written and how thought out the shopping > cart script is. > > Hope this helped. > > Jonathan Pitcher > > On Monday, February 17, 2003, at 07:09 AM, Sam wrote: > > > > > I'm thinking of running a shopping cart package (osCommerce) that > > requires > > register_globals to be enabled. With all the warnings about security > > with > > register_globals enabled I'm worried. > > > > How dangerous is it? > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
