PHP Constants and Variables can be Insecure if not used properly. Below is an example code that demonstrates how a script may be compromised when register_globals directive is turned ON. The example was taken from security.globals.php:

// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";

Leave a Comment

You must be logged in to post a Review.