[Pugged] Alright, my turn

[Chris Van Cleve]

On Tuesday, September 24, 2002, at 06:45  PM, David Champion wrote:

> Chris Van Cleve wrote:
>> I'm hoping not to turn register_globals on. I'm a believer in keeping 
>> with standards, especially for security. Besides, learning the 
>> hardway first makes doing it the easy way that much more cake.
>
> The "register_globals" thing isn't so much a standard (it's been there 
> for a long time), they just started defaulting it to "off" as a 
> security issue. Not trying to talk you out of what you're doing - 
> which the "right" way to do it. There have been articles about turning 
> register_globals off and using the arrays a long time before it became 
> the default.
>
> The problem is that it breaks a lot of pre-existing PHP code. The way 
> around that is you put a register_globals = on in the .htaccess for 
> those apps that still need it.

Well, i have the benefit of not having any code older than that being 
the default. I read a lot about this coming to be, and why, and I agree 
with it. So I want to keep it off. it was off before when this code 
worked.

>> I actually tried that, oddly enough. It broke the whole include file. 
>> ;)
>> I'll try it the simpler way Bryan mentioned and see how that goes. it 
>> just seems odd to me that anything gets authorized except 0. That 
>> throws me a bit.
>
> Are you sure it's failing on a zero? Could it maybe contain an empty 
> string, or a null?
>

Yep, it works (stops access) if the user's seclvl is set to zero.

I changed form an is not expression to an is expression, as Bryan 
suggested, and it worked. however, it now also blocks when seclvl > 
$auth so I'm guessing I fubared something in the code somewhere trying 
to fix it. I'm going back to an archive copy and changing the 
expression to see what happens.

Chris VC