PHP :: Request #4205 :: Setting internal vars with form var names dangerous!

Request #4205	Setting internal vars with form var names dangerous!
Submitted:	2000-04-20 14:19 UTC	Modified:	2000-04-20 14:47 UTC
From:	kai at jedi dot net	Assigned:
Status:	Closed	Package:	Feature/Change Request
PHP Version:	4.0 Release Candidate 1	OS:	Linux Red Hat 6.0
Private report:	No	CVE-ID:	None

View Developer Edit

[2000-04-20 14:19 UTC] kai at jedi dot net

Having the HTTP POST data set vars in the page willy-nilly is exteremly dangerous.  You never know how something got set, and anyone who has seen the source could find a way to pass in malicious variables and values to your scripts.  Yes, initting vars carefully helps but...

A feature that allows us to have FORM vars appear ONLY in the global HTTP_POST_VARS array (and not set local variables as now) would be GREATLY appreciated.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-04-20 14:47 UTC] zeev at cvs dot php dot net

It already exists.  Turn off register_globals and turn on
track_vars.
Read the php.ini-dist file supplied with PHP 4.0RC1.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Sun Jun 14 14:00:01 2026 UTC