> -----Original Message----- > From: John Holmes [mailto:[EMAIL PROTECTED] > You are wrong. :) > > Having register_globals OFF helps to prevent poorly written programs from being vulnerable to > users setting variables in the URL/header/cookie data. You can still write horribly insecure > programs with register_globals OFF. You can easily write very secure programs that function > with register_globals ON or OFF, too.
http://us2.php.net/manual/en/security.globals.php Exactly. It's merely there so that beginning developers don't blindly stumble forward making bad decisions - give them a sense that there's this thing called input checking and initialization. That said, it's a shame that there are still commercial programs that rely on it - solely because it defaults to off since 4.2 and many people may not have the access to change it*. One would want to avoid as much technical support as necessary, in such instances :) Personally I prefer explicitly pulling data into my scripts, so I like it being OFF regardless of defaults, but others may have other opinions. * I know it can be changed in .htaccess, I just don't know what options the server needs to be running under for this - AllowOverride ALL certainly - but I would hope something more lax would allow it. Still, it seems being able to change that would give the user the ability to change the max_memory/max_execution_time of php scripts - which I can't imagine any reselling host wanting a shell/etc. account doing. Cheers, - Martin Norland, Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php