PHP reg globals q
- Started
- Last post
- 3 Responses
- kinetic
i thought turning register globals off would mean that you could not supply a script variables from a url string.
but...you still have to pass the variables on the url string...you just have to use $_GET['variableName'] to retrieve them.
could anyone tell me what the point of this is? it seems kind of redundant to me because you can still inject a script with bunk variables by adjusting the URL string
thanks :)
- monokrom0
Someone can still squirt stuff into your script, but it's confined to the $_GET array.
The only variables in your scripts that will be affected are those that are derived from values in $_GET.
You should already be validating user input (everything from POST, GET, or uploaded files, etc.).
- kinetic0
ah. ok that makes sense.
thanks!
- enobrev0
also, later version of PHP have magic quotes set to on (smack me if im wrong)
That basically escapes all $_Get and $_POST vars which helps a great deal with any sql injection issues.
Of course, as mono said, you should be validating nonetheless.