Re: Zorum Portal (PHP)

[MightyE <mightye () mightye org>]

Messer wrote:

> Hello MGHz,
>
>  
>
> In new versions of PHP (PHP 4.2.3 and higher) for reception of values
> transmitted to the form it's necessary to write:
>
> $Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
> or
> $Variable = $HTTP_POST_VARS ['var']; // Request Method - POST
>
>
> // example: http://host.com/script.php?var1=value1&var2=value2
> $Var_1 = $HTTP_GET_VARS['var1'];
> $Var_2 = $var2;
> // $Var_1 == "value1"
> // $Var_2 == ""
>
> Messer.
Actually that's just the default.  As per 
http://www.php.net/manual/tw/configuration.directives.php#ini.register-globals 
it is still possible to configure PHP to register global variables such 
as $HTTP_POST_VARS['var'] as root level global variables, where your 
above example would render $Var_2 == "value2".  This is a directive set 
in the php.ini file, and frequently required for reverse compatibility. 
Setting register_globals to false in php.ini will circumvent many such 
attacks, though it may break some scripts.  The fact that it now 
defaults to false will hopefully keep developers using $_POST, $_GET, 
$HTTP_POST_VARS, and $HTTP_GET_VARS, which is far more secure.

-MightyE