register_globals: PHP_INI_ALL in PHP <= 4.2.3. Deprecated in PHP 5.3.0. Removed in PHP 5.4.0. http://www.php.net/manual/en/configuration.changes.modes.php 所以在 php < 5.4.0 的版本之下，有 register_globals， 但是沒辦法用 ini_set() 在執行 php 期間開/關這個東西， 假設是某個虛擬主機商，提供了舊版的 php，而好死不死， 他們 register_globals = On，非常危險，我也改不了php.ini 我希望能讓所有的變數，例如 $_SESSION['xxx']…都能安全使用， 有什麼好方法嗎？程式碼精簡，而且漂亮的好方法。 多謝 :-) --

※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 218.167.0.148 that is, <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> ※ 編輯: alfadick 來自: 218.167.0.148 (07/10 23:59) Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP>4.2.0. In PHP 4.2.0 and later, the default value for the PHP directive register_globals is off. This is a major change in PHP. Having register_globals off affects the set of predefined variables available in the global scope. For example, to get DOCUMENT_ROOT you'll use $_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT, or $_GET['id'] from the URL http://www.example.com/test.php?id=3 instead of $id, or $_ENV['HOME'] instead of $HOME. For related information on this change, read the configuration entry for register_globals, the security chapter on Using Register Globals , as well as the PHP lol, 沒有人在 php<4.2.0 時 (i)買過虛擬主機 或 (ii)用過國外免費 php 空間 或 (iii)自己架站 嗎？ 在那個時候，大家應該都會有我這個需求，寫這個程式吧？ 沒有的話，程式危險得要命阿 ※ 編輯: alfadick 來自: 218.167.0.145 (07/11 18:34)