On Wed, 2009-01-07 at 16:16 -0800, Jim Lucas wrote: > Nathan Rixham wrote: > > Richard Heyes wrote: > >>> but, I'm more concern does client has to pay the changes/upgrade or > >>> it's still "my obligation"? > >> > >> Of course you charge him. Christ if I was expected to maintain stuff > >> gratis that I wrote 7 years ago I'd be mullahed. > >> > > > > concurred, personally I'd be tempted to offer to find or indeed resetup > > on an old server if they could find one for free, but as for upgrading > > certainly quote/charge. > > > > If one was to go this route, then why not just use a .htaccess file and turn on register_globals and > call it good? > > I mean really, the customer would be in no greater risk then what they had been for the last 7 years. > > Reason being, nothing else has changed about the script. If their is an exploit in the script now, > then their was an exploit in the past. > > I realize that I am going against what I preach here. But really, the ISP isn't going to pay for > it. The own isn't going to want to pay for it. Can't squeeze blood from a turnip... What if the turnip is the programmer? > If the programmer designed an insecure web site 7 years ago then the programmer should be > responsible for making the application secure. That was part of his/her job in the beginning. Nobody said it's insecure... only that register globals was used as a feature, a feature at one point touted as useful to the PHP language. As has been mentioned previously, register globals is not real culprit of insecurity in this context, the real culprit is poor programming while using register globals... unfortunately such programming was common thus requiring a strong antidote... namely the downstream removal of support for the feature. > I mean, sure when I first started designing/building web sites I thought I was doing the right thing > most of the time. If two years down the road I had a moment of clarity and I realized that I had > been doing something wrong or in-secure for the past two years (which I've done) then I would go > back and tell the customer that I did something wrong or in-secure and I would fix it for free. Ahhh... but this presumes the programmer did something wrong. That has not yet been determined. All we know is that globals were used, not that they were necessarily used incorrectly. > Thia is part of my responsibility as a designer > > With that said, I would image that over the past 7 years, if the site has not been exploited, then I > would think that by turning register_globals back on would be of no concern. > > To me, all the above sounds logical. If I am missing something, please point it out. Duly pointed out ;) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php