Peter Petermann wrote:
> > I fully agree here with Rasmus and I also think this will
> > be the workaround for most people -- if one _does_ care
> > about security, he even knows what and how to do nowadays.
> > I don't think turning register_globals to off will evangelize
> > people to develop more secure scripts/applications.
> thats it.

I see your point, but I disagree.
Register_globals is a lanugage-feature which can result in 
security-gaps when people don't initialize their variables.
It's a common mistake, a pitfall, especially for beginners, that could 
be resolved by turning register_globals off.
There's a lot of beginners using PHP, and this wouldn't only make their 
applications a little more secure (just a little, but better than 
nothing), it will also teach them manners. Using $HTTP_*_VARS ist 
cleaner, IMO.

> what we could do to make people to write more secure script is:
> - telling them to do so,
> - telling them what is insecure
> - telling them why something is insecure
> - writing a special type of documentation, about  how to write secure
> scripts

Please, can you say "beginner"? Once people read that kind of stuff, 
they are not beginners any more. They aren't the problem.

You can't force people to write secure applications, but you can make 
it easier.


Madness takes its toll. Please have exact change.

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to