> -----Original Message-----
> From: John Holmes [mailto:[EMAIL PROTECTED] 
> You are wrong. :)
> Having register_globals OFF helps to prevent poorly written programs
from being vulnerable to 
> users setting variables in the URL/header/cookie data. You can still
write horribly insecure 
> programs with register_globals OFF. You can easily write very secure
programs that function
> with register_globals ON or OFF, too. 


Exactly.  It's merely there so that beginning developers don't blindly
stumble forward making bad decisions - give them a sense that there's
this thing called input checking and initialization.  That said, it's a
shame that there are still commercial programs that rely on it - solely
because it defaults to off since 4.2 and many people may not have the
access to change it*.  One would want to avoid as much technical support
as necessary, in such instances :)

Personally I prefer explicitly pulling data into my scripts, so I like
it being OFF regardless of defaults, but others may have other opinions.

* I know it can be changed in .htaccess, I just don't know what options
the server needs to be running under for this - AllowOverride ALL
certainly - but I would hope something more lax would allow it.  Still,
it seems being able to change that would give the user the ability to
change the max_memory/max_execution_time of php scripts - which I can't
imagine any reselling host wanting a shell/etc. account doing.

- Martin Norland, Database / Web Developer, International Outreach x3257
The opinion(s) contained within this email do not necessarily represent
those of St. Jude Children's Research Hospital.
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to