> Peter Petermann wrote:
> > > I fully agree here with Rasmus and I also think this will
> > > be the workaround for most people -- if one _does_ care
> > > about security, he even knows what and how to do nowadays.
> > > I don't think turning register_globals to off will evangelize
> > > people to develop more secure scripts/applications.
> >
> > thats it.
>
> I see your point, but I disagree.
> Register_globals is a lanugage-feature which can result in
> security-gaps when people don't initialize their variables.
> It's a common mistake, a pitfall, especially for beginners, that could
> be resolved by turning register_globals off.
And is resolved by turning on E_NOTICE.
> Please, can you say "beginner"? Once people read that kind of stuff,
> they are not beginners any more. They aren't the problem.
>
> You can't force people to write secure applications, but you can make
> it easier.
Or you can simply stop these people from using PHP which is another effect
turning off register_globals will have.
Java does not have this problem because Java is so complex that this same
set of users can not program in Java. Fixing this problem by making PHP
more complex and eliminating these "problem" users is a bad idea as far as
I am concerned.
-Rasmus
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
