How to call the session variable?

**Kurda Yon** · Jan 14 '08, 09:45 PM

Re: How to call the session variable?

>

Because with register_global s on,
>
http://www.example.com?admin=1
>
sets $admin to 1 (true).
>

It is confusing because if I think about register_global s, I think
that it should be something to do with the global variables. But it
seems to be not related with the global variables. In the above
example if $admin is NOT a global variable, we still will have the
described problem. So, it is no matter if $admin is global or not. The
matter is that the script can take variables from the address line.
And with the "register_globa l off" we force the script NOT to take the
values from the address line. But it seems to me only a partial
solution, because hacker will try to pass the value of the $admin
through the form variables (or it is impossible?). So we should to
tell the script not to accept the form variables?

**Jerry Stuckle** · Jan 14 '08, 10:55 PM

Re: How to call the session variable?

Kurda Yon wrote:

>Because with register_global s on,
>>
> http://www.example.com?admin=1
>>
>sets $admin to 1 (true).
>>

It is confusing because if I think about register_global s, I think
that it should be something to do with the global variables. But it
seems to be not related with the global variables. In the above
example if $admin is NOT a global variable, we still will have the
described problem. So, it is no matter if $admin is global or not. The
matter is that the script can take variables from the address line.
And with the "register_globa l off" we force the script NOT to take the
values from the address line. But it seems to me only a partial
solution, because hacker will try to pass the value of the $admin
through the form variables (or it is impossible?). So we should to
tell the script not to accept the form variables?
>

Even if they pass it through a form it won't make any difference. With
register_global s off, the value will only be available in
$_POST['admin'] or $_GET['admin'], depending on whether the method is
POST or GET. $admin is not changed.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jonas Werres** · Jan 15 '08, 01:05 PM

Re: How to call the session variable?

But how do you tell. There is never any context to the post as he

never quotes anything

Oh come on. Is there still anyone left whose newsreader does not display
trees?

**Captain Paralytic** · Jan 15 '08, 01:25 PM

Re: How to call the session variable?

On 15 Jan, 12:59, Jonas Werres <jo...@example. orgwrote:

But how do you tell. There is never any context to the post as he
never quotes anything

>
Oh come on. Is there still anyone left whose newsreader does not display
trees?

But try tracking those trees when there are 15 other posts in between

**Rik Wasmus** · Jan 15 '08, 01:35 PM

Re: How to call the session variable?

On Tue, 15 Jan 2008 13:59:08 +0100, Jonas Werres <jonas@example. orgwrote:

>But how do you tell. There is never any context to the post as he
>never quotes anything

>
Oh come on. Is there still anyone left whose newsreader does not display
trees?

Yes, I have a treeview, no, I usually don't feel like going manually
stepping back to see the exact previous post. On top of that, some message
may be dropped/lost on certain newsservers, you cannot count on the fact
that everybodies newsserver carries exactly all articles. Some newsservers
are more reliable then others in that aspect, and yes, as soon as I
realise my newsserver drops to much articles, I'll switch. It's a pain
though.

For us more intensive usenet users (hmmm alliteration), we usually have
fine mechanisms to step though 'unread articles' or 'new messages in
watched threads'. By simply opening my newsreader and using the spacebar I
can cycle through all new messages. If they have context, I usually
remember what the topic is about and/or can deduce what it's about by the
quote. Being forced to step back and reading the previous article, or
perhaps even the N preceding articles as it is an ongoing conversation,
wastes terrible amounts of my time. I do enjoy answering questions/giving
input here, but as long as I don't get paid, make it easy for me (on an
hourly rate it's not my problem having to spend more time :P). People who
insist on not quoting even after they've been pointed out netiquette will
get into the kill filter. Too bad for them, but maybe they don't care. I'd
rather help people who aren't to lazy to spend the minimum amount of
effort to make it easy to give them an answer. Also, to err is human, even
the most carefull and knowledgable contributors to this group sometimes
assumes or overlooks something or just makes a plain error, and ops may
have left out vital information. So even in the answers to OP's its
advisable te leave some sort of context as a quote in the post, so that a
possible correction/discussion/remark by others is still easily possible.

As a final note: netiquette is there for a reason. It's the combined
experience of regular/intensive usenet users over years. Even if something
seems more convenient to you at some point, really think about why one
assumes one knows better then thousands of others. And don't use that old
non-argument:'but usenet and usenet readers have evolved'. If one doesn't
like the usenet way maybe online HTTP forums are the way to go (guaranteed
the same content for every user, no need to quote as all earlier content
of posts is allready visible on the same page, etc.), or even IRC (short
questions, hopefully short answers, and if one has missed the context a
simple question what that is is usually enough for someone in the channel
to give a short summary).

[/rant]
--
Rik Wasmus

How to call the session variable?

Comment

Comment

Comment

Comment

Comment