> register_globals is off?  Of course not, but it's definitely going to knock 
> down a huge amount of exploits in their apps, and there are good chances 
> that these would be the only exploits in it.
as rasmus wrote,
this would only result in users using foreach to do that.
> >you cant fight security holes without knowing what the hole is, and you
> >cant make others writing secure apps without teaching them about how this 
> >works,
> >we shouldnt change php, we should give more information about this problems,
> >so everyone is able to learn how to avoid them.
> The way I see it, register_globals=on is pretty much like a swiss cheese 
> factory as far as it comes to security holes.  No php-security-central is 
> going to help here, and closing this factory down *is* going to help a 
> lot.  This doesn't come to say it'd eliminate all security holes out there, 
> obviously, just a great deal of them.
> discussion, but given the fact (or my view, rather) that 
> register_globals=on is *SUCH* a bad thing, none of them has too much to do 
> with it.  They're good and should be discussed regardless of this issue, 
> which should be resolved specifically, and in my opinion, by changing the 
> default.

as long there are peoples driving car, without knowing howto drive,
they are dangerous for all of us.
but do you think driving car should no longer be allowed?
you cant make mercedes, porsche etc. responsible for people killed
by people who cant drive but did.
i think we are talking about something like this right now,
the language is not responsible for users, who dont know about security
PHP is written in C, so maybe C should be changed to make it impossible to
create in php something like register_globals=on... 
this is what you say, if you blame the language for that
php is just a language, if people are not able to use it the right way
it is nothing wrong with the language, it is about the people

*ZIMT - where PHP meets needs*
Homepage: www.cyberfly.net - [EMAIL PROTECTED]
PHP Usergroups: www.phpug.de - [EMAIL PROTECTED]
Just for Fun: www.fist-center.de - [EMAIL PROTECTED]

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to