PHP global variables with the SESSION vulnerability, global and session-vulnerability warning-the black bar safety net

2012-07-24T00:00:00
ID MYHACK58:62201234420
Type myhack58
Reporter 佚名
Modified 2012-07-24T00:00:00

Description

The first to see this a simple piece of code <? php session_start();$_SESSION['isadmin']='yes';$isadmin='no';echo $_SESSION['isadmin'];?& gt; When php. ini in the configuration register_globals = Off, Without any problems, Output yes but When php. ini in the configuration register_globals = On time, First run output yes And refresh, the display is no obviously this is not normal, This is a very strange problem, If that is $isadmin='no'; change the SESSION, the Then why for the first time will show yes? All know: when the configuration register_globals = On time, By xxx. php? id=1 2 3 access, the program will automatically create a variable id Then the automatically created variables will not change the SESSION? Test code <? php //xxx.php session_start(); echo $_SESSION['id']; ?& gt; By xxx. php? id=1 2 3 access, no any output, Okay, otherwise don't know will have how much The use of SESSION do login And the PHP configuration register_globals to On the website Will be just the login. There are two commonly used function import_request_variables() and extract() import_request_variables-will GET/POST/Cookie variables imported into the global scope the extract -- from the array in the variables into the current symbol table <? php //xxx. phpimport_request_variables('G'); echo $id;?& gt; When by xxx. php? id=1 2 3 access the time, Even if register_globals is set to Off Is also will output 123extract($_GET) and import_request_variables('G') function is similar to then try import_request_variables() and extract()creates variables will not affect the SESSION?

[1] [2] next