At 15:07 25/07/2001 -0700, PHP wrote:
>On Wed, Jul 25, 2001 at 07:31:59AM -0700, Rasmus Lerdorf wrote:
> > Because not everyone agrees that this is actually "highly recommended".
> > Most third-party PHP code you may want to run will not work very well with
> > register_globals off.  And turning register_globals off isn't actually as
> > helpful from a security perspective as many people seem to think.
> >
> > The basic thing it would help would be in cases like this:
> >
> >    <?
> >          if($user=='rasmus') {
> >                $ok = true;
> >          }
> >
> >          if($ok) {
> >                ... secure code ...
> >          }
> >    ?>
>Don't forget the use of session variables.
>On one page you:
>         session_start();
>         session_register("user");
>         $user = 'admin';
>And then on another page you:
>         session_start();
>         if ($user == 'admin')
>         {
>         }
>If a malicious user goes to the second page first
>they could overwrite $user and break security.

*** That's why one should use $HTTP_SESSION_VARS =8)

At my office we are 30+ developpers from many different backgrounds and 
skill levels.
Very few people tend to declare their variables and almost none make use of 
HTTP_*_VARS except for POST.

Most people rely on "the network security", trusting the NOC, but failing 
to realize that direct web access can be harmful.
Our codebase is quite secure I believe, but if you take every individual 
scripts, most of them are not.

I think forcing to make use of HTTP_*_VARS by register_globals=off would 
break a whole lot of code around (both inside our company and in the wild).
But it brings the advantage of putting most of the security over to PHP 
instead of "innocence of the user" and moreover makes the code more 

I'm looking forward to HAL2001 to discuss those points with other 
attendants, then release some "guidelines for securing PHP code".
Any contribution is welcome.


PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to