what variables exactly are you worried about?

I must have been tired when I posted that. I meant to say session variables. Is it possible to view session variables that are set by a website? Is it possible to edit those variables through the browser or other means?

Session variables are stored on the server. Unless you have access to the server files or database table where the sessions are stored, you won't have any access to the session variables. Can they be changed? That depends on how well you have implemented your code and setup your server. See the Example use of sessions with register_globals on or off in Using Register Globals [php.net] for more information.

also never assume anything is impossible or that anything is 100% secure. A certain level of paranoia is always required and will help your security practices immensely.

Thanks jatar_k and coopster. That's a great link. I tend to think most things are possible. That's why I asked. :)

Is there a quick way to determine if register_globals is on or off?

it is a setting in php.ini [ca2.php.net]

If you don't have access to php.ini, you can still tell

- run phpinfo()

or

print 'register_globals = ' . ini_get('register_globals') . "\n";

will print
register_globals = 0 (if it's off)
register_globals = 1 (if it's on)

Tom

PS you can change the setting via php.ini or by adding the following to you .htaccess

php_flag register_globals off

Tom

Thanks guys. I love php. There are such knowledgeable people out there. It's so much more robust than asp. Functions that I had to build by hand in asp are readily available in php.