On 08/26/2010 03:29 AM, Keith Roberts wrote: > register_globals is supposed to be off by default - so that > should stop any global variables being injected. Doesn't matter. The vulnerability discussed is one where a PHP application actually takes the name of a file as input from the client. If your application does that and does not sanitize the path then it ends up vulnerable to code injection from the user.