At 02:18 26/07/2001, Ron Chmara wrote:
>> If most of the PHP apps out there are or were vulnerable to
>> register_globals=on attacks, we can't (shouldn't) blame the whole world,
>> but fix the language instead.
>
>I'd suggest fixing the code religion instead, but changing faiths is hard.
>:-) If they aren't checking their vars before processing, no language
>would fix it, would it?
Most would, actually. Pretty much any language which requires you to
declare variables, or, that doesn't allow external sources to declare
variables, does not have this problem. PHP is quite unique in that sense,
which is why I agree that the language is at fault. Of course, declaring
and not initializing your variable is still a programming error, but it's
much less severe and much less prone to exploits than this problem.
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
