----- Original Message -----
From: "Manuel Lemos" <mlemos@xxxxxxx>
To: "PHP List" <php-general@xxxxxxxxxxxxx>
Sent: Sunday, June 18, 2006 10:12 AM
Subject: Re: GET, POST, REQUEST
Hello,
on 06/18/2006 04:19 AM Satyam said the following:
Good code won't be vulnerable to register_globals either, but having
register_globals on is a security problem because there are security
flaws
that can only be exploited when register_globals is enabled.
Actually, code quality cannot overcome the vulnerability of
register_globals. Every program will have global variables.
register_globals=on may overwrite a valid global variable, one totally
unrelated to user input, with a value coming from the request, and there
is nothing good coding can do about it. The chances that an external
user might hit the right variable name are slim (unless a disgruntled
former programmer) but they exist.
There is a big misunderstanding about this matter. Having register
globals on does not make PHP overwrite global variables. It rather may
initialize global variables with values related to the request.
There may only be a problem with scripts that assumed those global
variables would not be initialized before the start of a script. Even if
there is a problem due to a distraction of the developer, it may not
even be necessarily a security problem.
If you initialize your script global variables properly, having register
globals on will never be a problem to you. You may also read this as, if
you are a competent developer, you will not make these silly mistakes,
especially by now when we all are so over the issue and triple checked
our code bases.
--
Indeed, you are absolutely right, sorry I caused any confusion about this.
Satyam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
