Share the understanding that PHP register_globals is on and off.

The value of register_globals can be set to: On or Off. Let's take a piece of code to describe their differences.

Code:

Copy codeThe Code is as follows:
<Form name = "frmTest" id = "frmTest" action = "URL">
<Input type = "text" name = "user_name" id = "user_name">
<Input type = "password" name = "user_pass" id = "user_pass">
<Input type = "submit" value = "login">
</Form>

When register_globals = Off, when receiving the next program, use $ _ GET ['user _ name'] and $ _ GET ['user _ pass'] to accept the passed values. (Note: when the method attribute of <form> is post, use $ _ POST ['user _ name'] and $ _ POST ['user _ pass']).

When register_globals = On, the next program can directly use $ user_name and $ user_pass to accept the value.

As the name implies, register_globals means registration as a global variable. Therefore, when On, the passed value will be directly registered as a global variable for use, and when Off, we need to get it in a specific array. Therefore, if you encounter the above problems that cannot get the value, you should first check whether your register_globals settings match the method you get the value. (You can use the phpinfo () function or directly view php. ini)

Let's take a look at the errors here?

Take a look at the following PHP script, which is used to authorize access to a Web page when the user name and password entered are correct:

Copy codeThe Code is as follows:
<? Php
// Check the user name and password
If ($ username = 'kevin 'and $ password = 'secret ')
$ Authorized = true;
?>
<? Php if (! $ Authorized):?>
<! -- An unauthorized user will be prompted here -->
<P> Please enter your username and password: </p>
<Form action = "<? = $ PHP_SELF?> "Method =" POST ">
<P> Username: <input type = "text" name = "username"/> <br/>
Password: <input type = "password" name = "password"/> <br/>
<Input type = "submit"/> </p>
</Form>
<? Php else:?>
<! -- HTML content with security requirements -->
<? Php endif;?>

The problem in the code above is that you can easily obtain access power without providing the correct user name and password. Only Add at the end of your browser's address bar? Authorized = 1. Because PHP automatically creates a variable for each submitted value-whether it is from a submitted form, URL query string, or a cookie-this will set $ authorized to 1, such an unauthorized user can break through the security restrictions.