Robert Cummings wrote:
> On Wed, 2009-01-07 at 16:16 -0800, Jim Lucas wrote:
>> Nathan Rixham wrote:
>>> Richard Heyes wrote:
>>>>> but, I'm more concern does client has to pay the changes/upgrade or
>>>>> it's still "my obligation"?
>>>> Of course you charge him. Christ if I was expected to maintain stuff
>>>> gratis that I wrote 7 years ago I'd be mullahed.
>>>>
>>> concurred, personally I'd be tempted to offer to find or indeed resetup
>>> on an old server if they could find one for free, but as for upgrading
>>> certainly quote/charge.
>>>
>> If one was to go this route, then why not just use a .htaccess file and turn on register_globals and
>> call it good?
>>
>> I mean really, the customer would be in no greater risk then what they had been for the last 7 years.
>>
>> Reason being, nothing else has changed about the script. If their is an exploit in the script now,
>> then their was an exploit in the past.
>>
>> I realize that I am going against what I preach here. But really, the ISP isn't going to pay for
>> it. The own isn't going to want to pay for it. Can't squeeze blood from a turnip...
>
> What if the turnip is the programmer?
>
In this case, it wouldn't be.
>> If the programmer designed an insecure web site 7 years ago then the programmer should be
>> responsible for making the application secure. That was part of his/her job in the beginning.
>
> Nobody said it's insecure... only that register globals was used as a
> feature, a feature at one point touted as useful to the PHP language. As
> has been mentioned previously, register globals is not real culprit of
> insecurity in this context, the real culprit is poor programming while
> using register globals... unfortunately such programming was common thus
> requiring a strong antidote... namely the downstream removal of support
> for the feature.
>
I didn't mean to imply that the programmer did build an insecure app. I said "if the programmer designed and insecure web site".
If the designer didn't build an insecure app, then it wont hurt a thing to turn on register_globals and just go back to the way it was before the ISP
upgraded.
>> I mean, sure when I first started designing/building web sites I thought I was doing the right thing
>> most of the time. If two years down the road I had a moment of clarity and I realized that I had
>> been doing something wrong or in-secure for the past two years (which I've done) then I would go
>> back and tell the customer that I did something wrong or in-secure and I would fix it for free.
>
> Ahhh... but this presumes the programmer did something wrong. That has
> not yet been determined. All we know is that globals were used, not that
> they were necessarily used incorrectly.
>
I didn't say that, nor did I mean to imply that. I was talking about my experiences.
>> Thia is part of my responsibility as a designer
>>
>> With that said, I would image that over the past 7 years, if the site has not been exploited, then I
>> would think that by turning register_globals back on would be of no concern.
>>
>> To me, all the above sounds logical. If I am missing something, please point it out.
>
> Duly pointed out ;)
>
> Cheers,
> Rob.
So, here is how I would summarize all the above.
Whether or not the programmer used the feature register_globals isn't of concern.
Whether the programmer designed and insecure app is the concern.
<?php
$APP_SECURE = (app is secure?); // Boolean: TRUE, FALSE
if ( $APP_SECURE ) {
print('Turn on register_globals and call the job done.');
} else {
print('Fix, at no cost, what you designed insecurely.');
}
?>
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
