Kelly <lightsolphoenix@xxxxxxxxx> writes: > The problem was, originally PHP would create variables with the names of the > HTML elements they were originally taken from (<input type="text" > name="test"> would become $test in PHP). Most authors used this feature > without thinking, because it was convinient. But it allows for a bunch of > serious attacks from the outside, especially if it is used in conjunction > with database queries. > > Safe mode causes those elements to not be registered, forcing the author to > access the variables using the special superarrays ($_GET, $_POST, $_COOKIE, > etc.), which prevents the aforementioned attacks. They didn't just change it > because it would have broken compatibility with older scripts; the general > hope was that it would slowly be turned on over time. > > At least, that's what I seem to recall. I think you are wrong. The above behaviour is controlled by the register_globals variable in php.ini. Thus, there must be some other use for safe-mode. Regards Ingemar
