Peter Petermann wrote:
> > I fully agree here with Rasmus and I also think this will
> > be the workaround for most people -- if one _does_ care
> > about security, he even knows what and how to do nowadays.
> > I don't think turning register_globals to off will evangelize
> > people to develop more secure scripts/applications.
>
> thats it.
I see your point, but I disagree.
Register_globals is a lanugage-feature which can result in
security-gaps when people don't initialize their variables.
It's a common mistake, a pitfall, especially for beginners, that could
be resolved by turning register_globals off.
There's a lot of beginners using PHP, and this wouldn't only make their
applications a little more secure (just a little, but better than
nothing), it will also teach them manners. Using $HTTP_*_VARS ist
cleaner, IMO.
> what we could do to make people to write more secure script is:
> - telling them to do so,
> - telling them what is insecure
> - telling them why something is insecure
> - writing a special type of documentation, about how to write secure
> scripts
Please, can you say "beginner"? Once people read that kind of stuff,
they are not beginners any more. They aren't the problem.
You can't force people to write secure applications, but you can make
it easier.
regards
Wagner
--
Madness takes its toll. Please have exact change.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
