I would be very worried about the quality of any reply that posts a link
that says the opposite of what the person is saying. Nowhere in that link
did I see them say that turning on the globals was a security issue. The
page said the misuse of the globals was the security risk due to forgetting
to initialize variables and then goes on to show examples of the issue risks
if the globals aren't properly initialized. The security issues fall on the
web designer not the ISP or PHP, ISP and PHP doesn't control if I forget to
initialize something in my PHP scripts. The first two paragraphs even state
that it is a web designer's problem (not in so many words though).
[QUOTE]
Perhaps the most controversial change in PHP is when the default value for
the PHP directive register_globals went from ON to OFF in PHP 4.2.0.
Reliance on this directive was quite common and many people didn't even know
it existed and assumed it's just how PHP works. This page will explain how
one can write insecure code with this directive but keep in mind that the
directive itself isn't insecure but rather it's the misuse of it.
When on, register_globals will inject your scripts with all sorts of
variables, like request variables from HTML forms. This coupled with the
fact that PHP doesn't require variable initialization means writing insecure
code is that much easier. It was a difficult decision, but the PHP community
decided to disable this directive by default. When on, people use variables
yet really don't know for sure where they come from and can only assume.
Internal variables that are defined in the script itself get mixed up with
request data sent by users and disabling register_globals changes this.
[/QUOTE]
--Death Gauge
"How do you gauge your death?!"
----Original Message Follows----
From: Jasper Bryant-Greene <jasper@xxxxxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Subject: Re: [suspicious - maybe spam] [PHP] [suspicious - maybe spam]
RE: RE: Issues with News sites again...
Date: Wed, 14 Sep 2005 17:37:21 +1200
Death Gauge wrote:
I'll try that...But why shouldn't I have register_globals on (which my ISP
does and every tutorial I've ever read says to do in order to use several
different features of PHP:-/).
http://php.net/security.globals
I would be very worried about the quality of any tutorial that said that
(and any ISP that did that by default).
--
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
