[UPHPU] $GLOBALS and global best practices
Steve Meyers
steve-uphpu at spamwiz.com
Mon Nov 7 14:30:14 MST 2011
On 11/7/11 2:20 PM, Daniel C. wrote:
> On Mon, Nov 7, 2011 at 12:39 PM, Wade Preston Shearer
> Blindly importing any of the $GLOBALS into scope can do Bad Things.
> Consider if you have a $host in your DB connection string, and someone
> puts&host=TheirServerIP into the URL. Depending on the order you do
> things, you could potentially import that into your local scope,
> clobbering your own $host, and try to connect to their server with
> your authentication data. Now they have your username and password.
That assumes that you have register_globals enabled, which implies that
you don't care about security anyway.
More information about the UPHPU
mailing list