"Zeev Suraski" <[EMAIL PROTECTED]> wrote in message">news:
> As I said, it's easy, but it is considerably less easy than it is to add
> GET variables.  Let alone the fact that we're also dealing with SERVER and
> ENV vars, which cannot be injected at all.  How about people who check
> server variables, such as HTTPS, using isset()?  register_globals *is* evil.

I think register_globals should be set to off for all PHP users. $HTTP_*_VARS
are easy enough to access variables. (I would like to see $__POST, $__GET, etc
soon, though)
Users tends to use "php.ini-dist", since install manual/instruction says "copy
php.ini-dist to php.ini". How about provide a "php.ini-recommended" with
appropriate comments in next rerelase?

Yasuo Ohgaki

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to