PHP wrote:
> On Wed, Jul 25, 2001, Sebastian Bergmann wrote:
> > Andy wrote:
> > > If register_globals = off is highly recommended, why does the
> > > default php.ini have register_globals=on
> >
> > For backward compatibility reasons. We intend to break this,
> > and other things, with either PHP 4.1 or PHP 5.
>
> Ah, you must be a PHP core developer! So good to meet you!
No, not really. I'll fwd this to php-dev.
> I fear that these security issues will take away (by default)
> one of the single nicest features that PHP has going for it
> (the register_globals). What is YOUR opinion on solving this
> problem (when it comes time to break backward compatibility)
> with a separate easy access namespace for these form variables.
> One implementation
> would be something like this:
>
> $foo // this is a normal variable
> %foo // this is a different foo, it is read only and came in
> via a POST or GET or otherwise.
>
> This way PHP would not lose it convince at all but there could
> no longer be situations where someone could overwrite a
> variable you did not intend them to.
--
Sebastian Bergmann Measure Traffic & Usability
http://sebastian-bergmann.de/ http://phpOpenTracker.de/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
