Handling data coming in from HTML pages is by far the most common task in PHP, and many might say it deserves a whole chapter to itself! In this section, we will be looking at how variables get into your scripts, and also at how you can distinguish between where those variables come from.
Prior to PHP 4.1, variables submitted from external sources—such as session variables, cookies, form fields, etc.—were automatically converted to variables inside PHP, as long as
was enabled in the php.ini file, which it was by default. These variables were also accessible through the arrays
Imagine the following situation: you have a secure site, where members are identified by logon names, such as "Administrator," "Joe," and "Peter." The pages on this site track the username by way of the variable
UserID, which is stored in a cookie on the computer when the user authenticates to the site. With
$UserID is available as a variable to all scripts on your site, which, while helpful, is a security hole.
Here is a URL that demonstrates the problem: http://www.yoursite.com/secure.php?UserID=root. When
register_globals is enabled, all variables sent by
POST are also converted to variables, and are indistinguishable from variables from other sources. The result of this is that a hacker could, by using the URL above, impersonate someone else—like root!
This was clearly ...