I disagree here.  I believe that PHP, the way it is today, encourages 
people to write insecure code, even when they try to write secure 
code.  This is essentially what the article was saying, and I agree with 
it.  register_globals set to off won't solve the problem completely, and 
definitely not retroactively, but it'll be a big improvement step.

At 08:10 25/07/2001, Peter Petermann wrote:
> > If register_globals = off is highly recommended,
> > why does the default php.ini have
> > register_globals=on
> > Many people do not change this.
>this wouldnt realy help at all,
>if you change this,
>and you need those vars in a script, most people would do the same
>like register_globals does.
>the way to protect against this issue isnt switching this feature off,
>it is writing code which protects against such attacks.
>this is not a language issue, it is a
>script-coder one,
>if someone is not able to handle this,
>he is not able to write scripts if register_globals is turned off
>- Peter
>*ZIMT - where PHP meets needs*
>Homepage: www.cyberfly.net - [EMAIL PROTECTED]
>PHP Usergroups: www.phpug.de - [EMAIL PROTECTED]
>Just for Fun: www.fist-center.de - [EMAIL PROTECTED]

Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to