> (b) As I said, if someone wants to use a gun to shoot himself in the head,
> he's welcome to do so. The least we could do is hand him the gun safely
> pointed in the other direction, and not point it to his brain.
we are not talking about people who want to have security holes, we are
talking about people who do not know they have..
this is like giving a loaded weapon to someone, dont telling him that
he could kill with it.
> it. Can you blame the driver for the accident with a brakeless car? It'd
> be quite dumb... Shipping PHP with register_globals set to on is
> equivalent to shipping cars without brakes. You hope that the user would
> be bright enough to install brakes, or use all sorts of advanced preventive
> measures like airbags, but the right thing to
well, i think you misunderstood me.
we are not talking of a brakeless car, and we are not talking
about a language who is not able to be used secure.
we are talking about something that has the abilities to be secure,
we just need to teach the people how,
the same as people need to learn how to drive,
without they can start the engine, and dont know how to brake,
but the brakes are there!
> >i think we are talking about something like this right now,
> >the language is not responsible for users, who dont know about security
> >and,PHP is written in C, so maybe C should be changed to make it impossible to
> >create in php something like register_globals=on...
> >this is what you say, if you blame the language for that
> >php is just a language, if people are not able to use it the right way
> >it is nothing wrong with the language, it is about the people
> I strongly suspect you haven't read the advisory, because it deals exactly
> with these issues. In a perfect world, we'd just have something like
> security=on that'd handle all of the possible security issues. Since non
> of us is holding his breath for such a world, we should try to provide a
> system that at least isn't prone to common, repeated and innocent looking
> security bugs. PHP with register_globals=on is.
i have read the advisory, but i cant agree that "register_globals=on" is the problem
the user, who cant deal with that is the problem
php is a language,
if people dont secure there applications,
they are wrong, not php is.
if i give machines to you, allowing you to build cars
secure ones, and insecure ones (those without brakes ;)
and you build a insecure one, thats not my fault.
but if i want to help you, i wouldnt turn of one of the
switches you use, and hope you dont use another one for the same,
i would teach you how to build the secure cars,
how to do crashtests etc.
- Peter
--
*ZIMT - where PHP meets needs*
Homepage: www.cyberfly.net - [EMAIL PROTECTED]
PHP Usergroups: www.phpug.de - [EMAIL PROTECTED]
Just for Fun: www.fist-center.de - [EMAIL PROTECTED]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
