> Peter Petermann wrote:
> > i dont think it is easier to write more secure applications
> > with turning a feature of.
> In this particular case, it would. There are several reported cases of
> security-holes caused by this feature. Without it, there would be fewer
> insecure PHP-applications out there.
> Thats a fact. Thats the past. Now let's talk about the future.

Please, everyone keeps stating this and immediately jumping to turning
register_globals off as being the one and only solution simply because it
is the most obvious solution.

Think about whether in each of these cases it would have happened if the
developers of the app had developed with E_NOTICE on.  In a high number of
these cases it probably wouldn't.  And if this number is close to 100%,
then it would point to the fact that there is another less destructive
solution here.

This is why I want to go through and investigate existing PHP code and
have a look.

> But that's not the point. The point is that people who don't care about
> security or coding style (beginners or professionals, doesn't really
> matter) are less likely to write insecure code, because there's one
> mistake less that they can make. As long as they stick to the defaults,
> anyway.

And one language less that these people are able to use.


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to