<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.4417.0">
<TITLE>RE: [Wolves] PHP global variables</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>That said, it’s a lot better practice to not use global variables, and I would expect most hosts to have register_globals turned off - its off by default by PHP and I can see little reason why a host would turn it back on.<BR>
<BR>
What does your code do?<BR>
<BR>
Cheers<BR>
Luke<BR>
<BR>
-----Original Message-----<BR>
From: Stuart Langridge [<A HREF="mailto:sil@kryogenix.org">mailto:sil@kryogenix.org</A>]<BR>
Sent: 06 September 2005 15:35<BR>
To: Wolverhampton Linux User Group<BR>
Subject: Re: [Wolves] PHP global variables<BR>
<BR>
> How important is the 'security issue' with global variables in php?<BR>
> I've just realised that over half my scripts still rely on globals=on<BR>
> (having 'broke' them with a php re-install before I remembered to<BR>
> tujrn globals back on).<BR>
><BR>
> Is it really worth the effort of re-writing scripts to sort this out?<BR>
<BR>
Depends. If you're using any variables anywhere without having first initialised them to a known value, and relying on PHP having initialised them to zero or the empty string, then anyone can break your code by explicitly specifying that variable in the URL even though you weren't expecting them to. This is conceivably a very big problem, but it depends on your code.<BR>
<BR>
Aq.<BR>
<BR>
_______________________________________________<BR>
Wolves LUG mailing list<BR>
Homepage: <A HREF="http://www.wolveslug.org.uk/">http://www.wolveslug.org.uk/</A><BR>
Mailing list: Wolves@mailman.lug.org.uk<BR>
Mailing list home: <A HREF="http://mailman.lug.org.uk/mailman/listinfo/wolves">http://mailman.lug.org.uk/mailman/listinfo/wolves</A><BR>
</FONT>
</P>
</BODY>
</HTML>