Re: GET, POST, REQUEST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

on 06/18/2006 04:19 AM Satyam said the following:
>> Good code won't be vulnerable to register_globals either, but having
>> register_globals on is a security problem because there are security
>> flaws
>> that can only be exploited when register_globals is enabled.
>>
> 
> Actually, code quality cannot overcome the vulnerability of
> register_globals.  Every program will have global variables.
> register_globals=on may overwrite a valid global variable, one totally
> unrelated to user input, with a value coming from the request, and there
> is nothing good coding can do about it. The chances that an external
> user might hit the right variable name are slim (unless a disgruntled
> former programmer) but they exist.

There is a big misunderstanding about this matter. Having register
globals on does not make PHP overwrite global variables. It rather may
initialize global variables with values related to the request.

There may only be a problem with scripts that assumed those global
variables would not be initialized before the start of a script. Even if
there is a problem due to a distraction of the developer, it may not
even be necessarily a security problem.

If you initialize your script global variables properly, having register
globals on will never be a problem to you. You may also read this as, if
you are a competent developer, you will not make these silly mistakes,
especially by now when we all are so over the issue and triple checked
our code bases.

-- 

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux