Thanks everyone for their replies so far,
What would happen if I browsed to
yourserver.com/.../delete.php?deleteFlag=yes&filename=index.php
I think you know what would happen :-)
I tried that with this one
http://localhost/delete.php?deleteFl...ename=test.txt
and it deleted test.txt
A number of things then in response
How would malicous people know the names of variables and what their use is,
no urls like the one you gave and the one
I gave can ever be seen in the browser bar. There's no way I can hide my
could my php code when I distribute this program is
there? everyone could simply examine the code and then try to break websites
using the system.
I'm only starting on this project now. (it's for a college project for those
that don't know)
I fully plan to implement logins and basically have something like
if session login is good then {process rest of page}else die(not authorized)
passwords would be stored in database, well encrpyted version of them not
actually the plain text ones.
With security this would mean that URL like the above could not be executed
by the right people.
Am I right in saying that?
Also if register_globals is off basically all I have to do to get at a
variable is use $_POST[filename] rather than $filename.
If register_globals is off, is it therefore impossible to do trick URLs like
the two above regardless if loggins are used.
Pedro if you could address as many of these issues as possible, also other
help too.
Thanks to everyone. Only learning and you have all been helpful.
"Pedro Graca" <he****@dodgeit.com> wrote in message
news:sl*******************@ID-203069.user.uni-berlin.de...
Dave wrote: I seem to be using these newsgroups a good bit and probabely will be for
the next three or so months.
Why are you already thinking about leaving us? :-)
I wonder if there is a workaround to a problem I'm having. PHP always
says that variables are undefined for the first time I visit a page.
Use isset() before the variable:
if (isset($variable)) do_something_with($variable);
I have
register_globals on and on the second visit a page when a certain post
variable 'has' a value and been defined.
Here's a bit of code I'm working with now.
<?php
if($deleteFlag=="yes") {unlink($filename);
echo "$filename successfully deleted";}
<snip>
What would happen if I browsed to
yourserver.com/.../delete.php?deleteFlag=yes&filename=index.php
Turn off register_globals
and validate *all* user input.
*NEVER* trust the user!
--
Mail to my "From:" address is readable by all at http://www.dodgeit.com/
== ** ## !! ------------------------------------------------ !! ## ** ==
TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
may bypass my spam filter. If it does, I may reply from another address!