Adam Zey wrote: ... >>> >>> http://www.otton.org/ > > Turn off register globals. Now. It is a HUGE security hole. it is NOT by definition a security hole - the problem arises from scripts that don't bother to initialize all their variable before using them, which allows blackhats to possibly interfere with the intended functionality of a script. e.g. <? // myfile.php if (chkCleanRequired()) { $delete = true; } if ($delete) doDeleteRoutines(); ?> which could be hacked like so (if register_globals was on): somedomain.tld/myfile.php?delete=1 that said having register_globals turned on is bad practice - turning it off and using $_GET, $_POST and $_REQUEST is preferred and offers a buffer against silly mistakes related to not initializing variables properly ... in addition a number of members of the core php dev team are in the process of finalizing a data filtering extension [which I believe will be included in php by default] that will take data filtering to a whole other level in php ... soon even the use of the raw data in $_POST, $_GET, et al will be discouraged in favor of using the api provided by the filter extension... I'm so looking forward to that :-) > > You do NOT need it turned on to use $_GET or the other superglobals, and > there is in fact no reason at all to EVER turn it on. The only > conceivable reason that someone would enable it is for an old badly > written script, and in that case one has to question why they are > running an old badly written script :) there are plenty of legacy codebases out there that rely on register_globals AND are quite adequate regarding protection from potential problems arising from register_globals being turned on. > > Regards, Adam Zey. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
