Posted 13 September 2006 - 05:40 AM
If I'm correct, when register_globals is on, passing a variable in the URL will default it to that example:
http://www.mywebsite.com/?id=4 will make the $id set to 4. But does can users input $_POST variables or $_SESSION variables through the URL also? Because I have a website that is like http://www.mywebsite...ofile.php?id=65 and changing the id to another number goes to their profile.php page, and if they would do the same just for the login page, would $_POST datas be catched? like...
Posted 13 September 2006 - 06:38 AM
Posted 13 September 2006 - 07:05 AM
Posted 13 September 2006 - 07:18 AM
Posted 13 September 2006 - 08:52 AM
Not quite correct, it doesn't register session variables for you (your example with $name will not work with register_globals alone.)
Yes, register_globals should be switched off, for security reasons over anything else - check the manual for more information on that. As far as I understand, what register_globals actually does, it registers global variables. So, once you create them they are available throughout your PHP pages. For example, on page one we define the variable '$name' and assign the value 'Kris', then on page two we can just echo $name and it will print 'Kris' to the screen, this is without passing it via get, post, cookie or session. Please, anyone, correct me if I have misunderstood register_globals.
All register globals does is define each index of $_REQUEST, $_SESSION and $_SERVER as a standalone variable in the global namespace.
Posted 13 September 2006 - 04:15 PM
example: i have a login form
username: [ ]
password: [ ]
and the user and pass is sent as $_POST['username'] and $_POST['password']. would users be able to login by just submitting those values within the URL?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users