Regarding the problems that RegisterGlobals will encounter after it is enabled, I have read the php manual that the global variables are recommended to be disabled, that is, set regester_globales to off, and the manual also provides an example, the following is an example of how to disable GETauth. php? What does authorized1 mean ??? I hope you can help me to incorrectly use register_gl. problems you may encounter when Register Globals is enabled
I have read the php manual and said that global variables are recommended to be disabled, that is, set regester_globales to off.
In addition, the manual provides an example to illustrate the problem if you do not turn it off. The example is as follows.
GET auth. php? What does authorized = 1 mean ??? Hope you can help me.
Example of using register_globals = on
// If the user is valid, the value $ authorized = true is assigned.
If (authenticated_user ()){
$ Authorized = true;
}
// Because $ authorized is not initialized to false in advance,
// When register_globals is enabled, it may use GET auth. php? Authorized = 1 to define the variable value
// Anyone can bypass authentication.
If ($ authorized ){
Include "/highly/sensitive/data. php ";
}
?>
When register_globals = on, the above code is dangerous. If it is off, $ authorized cannot be changed through URL request or other methods, which is much better, even though initialization variables are a good programming habit. For example, if $ authorized = false is added before the preceding code is executed, it can be used whether register_globals is on or off, because the user status is initialized to unauthenticated.
------ Solution --------------------
When regester_globales is enabled in auth. php? Authorized = 1 is not required to use GET
$ Authorized equals to $ _ GET ['authorized']
Can I define your variables through url? is it safe?
Http://bbs.php100.com/read-htm-tid-17163-page-1.html
Http://www.laruence.com/2009/07/13/976.html
This is another example.
------ Solution --------------------
This comment is clear.
// Because $ authorized is not initialized to false in advance,
// When register_globals is enabled, it may use GET auth. php? Authorized = 1 to define the variable value
// Anyone can bypass authentication.
If ($ authorized ){
Include "/highly/sensitive/data. php ";
}
If you enable the setting and enable it when determining whether the variable authorized is true, you only need to construct authorized = 1 in the url to obtain the permission that authorized is true.
