Thanks for the advice, MJ. I left that globals thing turned off on my test board, so everything is being developed with that concern in mind.
But now I've got another question: if I can't use form data as variables, how
do I use it??? No tutorial or info I've ever came across says anything other than variables. And that sure seems to be the most efficient way, even if there are some security concerns. But is there some other safer way to use the form data that I should be using? How do other scripts handle it? Like, discussion boards rely on forms quite a bit, so how come we don't see everyone's vB getting hijacked by l33t 5cr1p7 k1dd13z every five minutes?
If it matters, all of my forms use POST instead of GET, which I would think would be safer because the URL query string isn't involved. And for the few things I do use the URL for (mostly telling the script which function to run, same deal as ?ubb=get_topic or what have you), I wrote myself a cute little encryptor thingy that masks the query string before sending it to the browser. It's no RC6, by any means, but it gets the job done and will tack on a few extra minutes before the would-be attacker can figure out how it works and exploit it. The other thing I've got going for me is that almost all of the forms are only in the admin cp area, which is (or will be) protected by user authentication - in theory only company employees will ever even see it, and they're not exactly the most computer-literate group of people I've came across, so I doubt there will be any hostile takeover attempts from them.
Sorry for all the questions, but like I said, I'm very new at this. And my company is very paranoid about security stuff, so I figure I may as well cover all my bases and make this thing as secure as possible. Thanks again.
---Jamin
