Archive for the ‘register_globals’ Tag

(evil) Register Globals (on)

The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.

Why is it a security risk? Let’s look at this example:

Continue reading

Advertisements

The danger of PHP_SELF

The $_SERVER[‘PHP_SELF’] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.

<form action=”<? echo $_SERVER[‘PHP_SELF’]; ?>” method=”POST”>

Here you see a normal login form with the form container above.

Continue reading