On Tuesday 07 December 2004 01:32, Richard Lynch wrote: > steve wrote: > > Jason Wong wrote: > >> With register_globals enabled, the problem is not with the $_POST, $_GET > >> etc variables (although yes you should always validate data when they > >> come > >> from untrusted sources). The problem is that malicious users can pollute > >> your namespace and if you do not initialise variables properly before > >> using them your application can be compromised. > > On the contrary, with register_globals enabled, the problem *IS* with > $_POST, $_GET etc variables being polluted! I'm not sure I'm following you. Regardless of the register_globals setting, $_POST, $_GET and siblings has the potential to be polluted and data from them should be validated and sanitised. > That is the very definition of the problem register_globals was designed > to solve. ... flummoxed ... Anyway the way I see it is that the original intent of register_globals (and it being enabled by default in older versions) was a feature so that people can work 'directly' (as it were) with the request variables instead of having to use $HTTP_POST_VARS['myvariable'] etc. It was only when people realised that it could be a liability that is now disabled by default. > Turning register_globals OFF simply corrals the pollution so that it's > *ONLY* in $_POST/$_GET/$_REQUEST/etc instead of automatically being spewed > throughout the global name space of all variables. > > If you blindly walk through POST/GET, or use extract on them, or do > something that turns *EVERY* POST/GET entry into a variable, you might as > well turn register_globals ON -- Otherwise, your OFF setting is only > providing you with a false sense of security, which is worse than no > security at all. This bit I follow and whole-heartedly agree with. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* When you are about to die, a wombat is better than no company at all. -- Roger Zelazny, "Doorways in the Sand" */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
