Why most run Microsoft, not RedHat
Ingemar Nilsson
init at pdc.kth.se
Wed Apr 25 17:42:11 UTC 2007
Kelly <lightsolphoenix at gmail.com> writes:
> The problem was, originally PHP would create variables with the names of the
> HTML elements they were originally taken from (<input type="text"
> name="test"> would become $test in PHP). Most authors used this feature
> without thinking, because it was convinient. But it allows for a bunch of
> serious attacks from the outside, especially if it is used in conjunction
> with database queries.
>
> Safe mode causes those elements to not be registered, forcing the author to
> access the variables using the special superarrays ($_GET, $_POST, $_COOKIE,
> etc.), which prevents the aforementioned attacks. They didn't just change it
> because it would have broken compatibility with older scripts; the general
> hope was that it would slowly be turned on over time.
>
> At least, that's what I seem to recall.
I think you are wrong. The above behaviour is controlled by the
register_globals variable in php.ini. Thus, there must be some other use
for safe-mode.
Regards
Ingemar
More information about the fedora-list
mailing list