[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Getting the value of environment variables
- From: Florian Weimer <fw@...>
- Date: Sat, 29 May 2010 21:19:50 +0200
* Jonathan Castello:
> In PHP, you have $_GET and $_POST hashes that contain the data sent
> with the client's request. The register_globals option [1] takes those
> arrays and dumps them into the global space, so instead of
> $_GET["foo"] you have $foo. The issue is that the client can pollute
> your globals this way, such as passing "authenticated=1". If you use
> $authenticated somewhere in your code without first initializing it,
> that's a bad hole.
This, and the fact that it's customary to have library files in the
document root. These library files often assume that certain
variables have been initialized properly. With register_globals, you
can set those to interesting values (toying with paths, reading local
files or executing PHP code downloaded from the net, by supplying a
URL).