Hey all, 

        I am new to this list so if this topic has already been beaten to death let me 

        I assume that many of you have already read this article 


        about many of the basic security risks you need to be aware of when developing 
in PHP.  I was curious what ideas have already been covered in the areas of stopping 
this.  I also wanted to offer up my own suggestion.

        It seems that all the issues arise from the feature that sets PHP variable to 
be form variables.  The cleanest solution I can think of (albeit it breaks backward 
compatibility) would be to split the names-pace of form variables.  If normal or 
session variable stayed as $foo and $bar then form variables would be %foo and %bar, 
or something similar.   Breaking backward compatibility is bad but it would allow 
future applications to be free of these dangers and could be something set in the 
php.ini or rather a directive in the php script to allow old an new style scripts on 
the same server.  

        If there is work already being done in this area please point me to where I 
can read more about it.  PHP is far and away the best web development language and is 
really only hindered by security issues like this.


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to