For the obvious reason that this is a huge incompatibility change, which
would break pretty much every application out there.
I discussed this with Kristian Koehntopp in LinuxTag, and he believes, and
I tend to agree with him, that this issue is responsible for too many
problems in PHP, that it probably should be changed not to be the
default. I will raise this issue soon, after making some improvements to
PHP, which would make working with register_globals off a bit more easy
than it is today.
Zeev
At 06:07 25/07/2001, Andy wrote:
>If register_globals = off is highly recommended,
>why does the default php.ini have
>register_globals=on
>
>Many people do not change this.
>
>On Tue, 24 Jul 2001, Zeev Suraski wrote:
> > Setting register_globals to off (which is highly recommended) would
> prevent
> > PHP from defining form variables as global variables. For quite a while,
> > since the PHP 3.0 times, PHP provided an alternative way of accessing
> > variables - using special designated arrays - $HTTP_POST_VARS,
> > $HTTP_GET_VARS, and so forth. As of PHP 4.0.3 (IIRC), these variables are
> > always defined, and are protected (to a degree) by PHP. Setting
> > register_globals to off effectively prevents any outer access to your
> > namespace, outside $HTTP_*_VARS[].
> >
> > Zeev
> >
> > At 12:28 24/07/2001, PHP wrote:
> >
> > >Hey all,
> > >
> > > I am new to this list so if this topic has already been
> beaten to
> > > death let me know.
> > >
> > > I assume that many of you have already read this article
> > >
> > > http://lwn.net/2001/0704/a/study-in-scarlet.php3
> > >
> > >
> > > about many of the basic security risks you need to be aware of
> > > when developing in PHP. I was curious what ideas have already been
> > > covered in the areas of stopping this. I also wanted to offer up my own
> > > suggestion.
> > >
> > > It seems that all the issues arise from the feature that sets
> PHP
> > > variable to be form variables. The cleanest solution I can think of
> > > (albeit it breaks backward compatibility) would be to split the
> > > names-pace of form variables. If normal or session variable stayed as
> > > $foo and $bar then form variables would be %foo and %bar, or something
> > > similar. Breaking backward compatibility is bad but it would allow
> > > future applications to be free of these dangers and could be something
> > > set in the php.ini or rather a directive in the php script to allow old
> > > an new style scripts on the same server.
> > >
> > > If there is work already being done in this area please point me
> > > to where I can read more about it. PHP is far and away the best web
> > > development language and is really only hindered by security issues
> like this.
> > >
> > > Orion
> > >
> > >
> > >
> > >--
> > >PHP Development Mailing List <http://www.php.net/>
> > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >For additional commands, e-mail: [EMAIL PROTECTED]
> > >To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> > --
> > Zeev Suraski <[EMAIL PROTECTED]>
> > CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
Zeev Suraski <[EMAIL PROTECTED]>
CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
