Guys, look back at the advisory. Apps written by *GOOD* PHP coders who
*ARE* aware of security issues were prone to register_globals=on attacks.
As the guy said in the advisory, it's arguable whether it's the language's
responsibility to guide you to write a secure app, or whether it's the
coder's responsibility. He says, and I agree with him, that if the
language 'encourages' you to write insecure apps, by providing and
streamlining insecure ways of implementing functionality, the language is
at fault. If most of the PHP apps out there are or were vulnerable to
register_globals=on attacks, we can't (shouldn't) blame the whole world,
but fix the language instead.
At 10:49 25/07/2001, Brian Tanner wrote:
>I'm gonna have to go ahead and agree with Peter. As a relative Newbie to
>PHP (1 year), I can tell you that when I switched from Perl to PHP, one of
>the biggest "Wow, this is great" features was the easy variable access. It
>makes it fast for a newbie to hack something together that works -- which is
>often all that is really needed.
>Should the average script be coded better? Yes. However, you can't
>legislate good coding by imposing sanctions on technique. (IMHO)
>I agree with Peter that if someone is writing a script with security even in
>the back corner of their mind, they will be initializing variables, and
>grabbing them from the appropriate "HTTP_*_VARS".
>If someone has no clue about security, they are lost anyway. You can't
>*force* their script to be secure from the outside. More likely, they are a
>novice programmer and will give up on PHP just as they have on Perl --
>because it is just too difficult for them to learn.
> >this is not a language issue, it is a
> >script-coder one,
> >if someone is not able to handle this,
> >he is not able to write scripts if register_globals is turned off
> >- Peter
>PHP Development Mailing List <http://www.php.net/>
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]
Zeev Suraski <[EMAIL PROTECTED]>
CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]