Why most run Microsoft, not RedHat

Ingemar Nilsson init at pdc.kth.se
Wed Apr 25 17:42:11 UTC 2007


Kelly <lightsolphoenix at gmail.com> writes:

> The problem was, originally PHP would create variables with the names of the 
> HTML elements they were originally taken from (<input type="text" 
> name="test"> would become $test in PHP).  Most authors used this feature 
> without thinking, because it was convinient.  But it allows for a bunch of 
> serious attacks from the outside, especially if it is used in conjunction 
> with database queries.
> 
> Safe mode causes those elements to not be registered, forcing the author to 
> access the variables using the special superarrays ($_GET, $_POST, $_COOKIE, 
> etc.), which prevents the aforementioned attacks.  They didn't just change it 
> because it would have broken compatibility with older scripts; the general 
> hope was that it would slowly be turned on over time.
> 
> At least, that's what I seem to recall.

I think you are wrong. The above behaviour is controlled by the
register_globals variable in php.ini. Thus, there must be some other use
for safe-mode.

Regards
Ingemar




More information about the fedora-list mailing list