@Aravindh,
Aravindh wrote:Hi there,
I think that these [register_globals] is set ON to support the use of Super Global Variables like($_SESSION,$_POST etc.,)
am I right?
Not really. register_globals made any variable, no matter how it was input available from $variablename. So if it's on I can pass in any variable value I want as a query string value. For example I could circumvent the following code just by passing in ?authorized=1 to the script:
Code:<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
For that kind of reason this is a highly-discouraged practice and has been removed from the latest version of PHP altogether, so avoid reliance on this kind of thing. In practice that means doing stuff like $_GET['myvariable'] instead of just using $myvariable.
Quote:But in my localhost server,
Even though by default register_globals is turned OFF,i can able to use super global variables ($_SESSION,$_POST like that..) in my code...
Superglobals are pre-defined variables and turning register globals on and off only affects them in the way they can be accessed. For example, with register globals on, you can access the the variable like this: $DOCUMENT_ROOT but with it off you access it through one of the pre-defined super global arrays like this: $_SERVER['DOCUMENT_ROOT'].
Stumble It!
Tweet This
Bookmark on Delicious
Share on Facebook
Share on MySpace