At 20:53 02/01/1999, Peter Petermann wrote:
> > register_globals is off?  Of course not, but it's definitely going to 
> knock
> > down a huge amount of exploits in their apps, and there are good chances
> > that these would be the only exploits in it.
>as rasmus wrote,
>this would only result in users using foreach to do that.

Two things:

(a) How about just setting register_globals to on?  We're not talking about 
taking this option away, for now, just turn it off by default.
(b) As I said, if someone wants to use a gun to shoot himself in the head, 
he's welcome to do so.  The least we could do is hand him the gun safely 
pointed in the other direction, and not point it to his brain.

>as long there are peoples driving car, without knowing howto drive,
>they are dangerous for all of us.
>but do you think driving car should no longer be allowed?
>you cant make mercedes, porsche etc. responsible for people killed
>by people who cant drive but did.

You argue that having a car with no brakes and just a better airbag is 
acceptable?  Peter, we're *NOT* talking about absolute things in here.  Of 
course, using your example, the only way to protect users, is by preventing 
them from writing scripts.  That's not the issue here.  The issue here is 
similar to giving them a car without brakes, and expecting them to handle 
it.  Can you blame the driver for the accident with a brakeless car?  It'd 
be quite dumb...  Shipping PHP with register_globals set to on is 
equivalent to shipping cars without brakes.  You hope that the user would 
be bright enough to install brakes, or use all sorts of advanced preventive 
measures like airbags, but the right thing to

>i think we are talking about something like this right now,
>the language is not responsible for users, who dont know about security
>PHP is written in C, so maybe C should be changed to make it impossible to
>create in php something like register_globals=on...
>this is what you say, if you blame the language for that
>php is just a language, if people are not able to use it the right way
>it is nothing wrong with the language, it is about the people

I strongly suspect you haven't read the advisory, because it deals exactly 
with these issues.  In a perfect world, we'd just have something like 
security=on that'd handle all of the possible security issues.  Since non 
of us is holding his breath for such a world, we should try to provide a 
system that at least isn't prone to common, repeated and innocent looking 
security bugs.  PHP with register_globals=on is.


PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to