Please read the advisory.  You simply can't say that register_globals=off 
wouldn't have resulted in more secure apps, because there are *3* examples 
(or more, I don't remember) there of applications that would have not been 
exploitable had register_globals=on was in effect!
Unless we make the very unlikely assumption that these are the only apps 
that were vulnerable (and from what I understand in the advisory, pretty 
much any app they checked was vulnerable at one point or another), saying 
that setting register_globals to off is going to improve security is pretty 
much a fact, and not an opinion.


At 03:15 27/07/2001, Björn Schotte wrote:
>* Rasmus Lerdorf wrote:
> > significantly more secure PHP scripts out there.  It will simply cause
> > scripts to break in non-obvious ways and the knee-jerk fix will be to
> > swear at those annoying PHP folks and then turn register_globals on, or
> > they will do something like:
> >
> >   foreach($HTTP_POST_VARS as $key=>$val) $$key = $val;
> >   foreach($HTTP_GET_VARS as $key=>$val) $$key = $val;
> >   foreach($HTTP_COOKIE_VARS as $key=>$val) $$key = $val;
>I fully agree here with Rasmus and I also think this will
>be the workaround for most people -- if one _does_ care
>about security, he even knows what and how to do nowadays.
>I don't think turning register_globals to off will evangelize
>people to develop more secure scripts/applications.
>PHP Schulungen und                        | International PHP Conference
>Schulungsmaterial:                        |             05. - 07.11.2001
>                       |      Astron Hotel, Frankfurt
> |

Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd.

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to