register_globals: PHP_INI_ALL in PHP <= 4.2.3. Deprecated in PHP 5.3.0. Removed in PHP 5.4.0. http://www.php.net/manual/en/configuration.changes.modes.php 所以在 php < 5.4.0 的版本之下，有 register_globals， 但是没办法用 ini_set() 在执行 php 期间开/关这个东西， 假设是某个虚拟主机商，提供了旧版的 php，而好死不死， 他们 register_globals = On，非常危险，我也改不了php.ini 我希望能让所有的变数，例如 $_SESSION['xxx']…都能安全使用， 有什麽好方法吗？程式码精简，而且漂亮的好方法。 多谢 :-) --

※ 发信站: 批踢踢实业坊(ptt.cc) ◆ From: 218.167.0.148 that is, <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> ※ 编辑: alfadick 来自: 218.167.0.148 (07/10 23:59) Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP>4.2.0. In PHP 4.2.0 and later, the default value for the PHP directive register_globals is off. This is a major change in PHP. Having register_globals off affects the set of predefined variables available in the global scope. For example, to get DOCUMENT_ROOT you'll use $_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT, or $_GET['id'] from the URL http://www.example.com/test.php?id=3 instead of $id, or $_ENV['HOME'] instead of $HOME. For related information on this change, read the configuration entry for register_globals, the security chapter on Using Register Globals , as well as the PHP lol, 没有人在 php<4.2.0 时 (i)买过虚拟主机 或 (ii)用过国外免费 php 空间 或 (iii)自己架站 吗？ 在那个时候，大家应该都会有我这个需求，写这个程式吧？ 没有的话，程式危险得要命阿 ※ 编辑: alfadick 来自: 218.167.0.145 (07/11 18:34)