推 mrbigmouth:先ini_get 若不是false則ini_set 07/10 21:06
→ alfadick:register_globals 沒辦法用 ini_set()! 07/10 21:32
→ gname:你期待有什麼,那就放什麼進來...就是這麼簡單... 07/10 21:49
→ alfadick:gname大, 能否說詳細點, 例如我想取 $_POST['xxx'], 07/10 23:53
→ alfadick:但是可能會被以test.php?_POST[xxx]=something 07/10 23:54
→ alfadick:來製造危險的情況 07/10 23:54
that is,
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
※ 編輯: alfadick 來自: 218.167.0.148 (07/10 23:59)
→ arrack:.htaccess 跟 php.ini 都試過了嗎? 07/11 08:08
→ arrack:如果都不行 就記得都加上初始值吧... 07/11 08:10
→ eight0:...寫信給主機商 請他們處理 07/11 14:59
Perhaps the most controversial change in PHP is when the default value for
the PHP directive register_globals went from ON to OFF in PHP>4.2.0.
In PHP 4.2.0 and later, the default value for the PHP directive
register_globals is off. This is a major change in PHP. Having
register_globals off affects the set of predefined variables available in the
global scope. For example, to get DOCUMENT_ROOT you'll use
$_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT, or $_GET['id'] from the
URL http://www.example.com/test.php?id=3 instead of $id, or $_ENV['HOME']
instead of $HOME.
For related information on this change, read the configuration entry for
register_globals, the security chapter on Using Register Globals , as well as
the PHP
lol, 沒有人在 php<4.2.0 時
(i)買過虛擬主機 或
(ii)用過國外免費 php 空間 或
(iii)自己架站
嗎?
在那個時候,大家應該都會有我這個需求,寫這個程式吧?
沒有的話,程式危險得要命阿
※ 編輯: alfadick 來自: 218.167.0.145 (07/11 18:34)
→ arrack:到目前為止我買過的虛擬主機都支援htaccess 或 php.ini 去 07/11 22:17
→ arrack:修改 07/11 22:17