דוגמה
4-14
.
Working
without
register_globals=off
|
דוגמה
4-15
.
?php
if(
$HTTP_COOKIE_VARS['username'])
{
/
/
can
only
come
from
a
cookie
,
forged
or
otherwise
$good_login
=
1
;
fpassthru
("
/
highly
/
sensitive
/
data
/
index.html")
;
}
?
|
|
By using this wisely, it's even possible to take preventative
measures to warn when forging is being attempted. If you know
ahead of time exactly where a variable should be coming from, you
can check to see if submitted data is coming from an
inappropriate kind of submission. While it doesn't guarantee that
data has not been forged, it does require an attacker to guess
the right kind of forging.
דוגמה
4-16
.
?php
if
(
$HTTP_COOKIE_VARS['username'
]
!$HTTP_POST_VARS['username'
]
!$HTTP_GET_VARS['username'
]
)
{
/
/
Perform
other
checks
to
validate
the
user
name..
.
$good_login
=
1
;
fpassthru
("
/
highly
/
sensitive
/
data
/
index.html")
;
}
else
{
mail("admin@example.com"
,
"Possible
breakin
attempt"
,
$HTTP_SERVER_VARS['REMOTE_ADDR'])
;
echo
"Security
violation
,
admin
has
been
alerted
."
;
exit
;
}
?
|
|
Of course, simply turning off register_globals does not mean code
is secure. For every piece of data that is submitted, it should
also be checked in other ways.