On Fri, 27 Jul 2001, Zeev Suraski wrote:
>
> > It will simply cause
> >scripts to break in non-obvious ways and the knee-jerk fix will be to
> >swear at those annoying PHP folks and then turn register_globals on, or
> >they will do something like:
> >
> > foreach($HTTP_POST_VARS as $key=>$val) $$key = $val;
> > foreach($HTTP_GET_VARS as $key=>$val) $$key = $val;
> > foreach($HTTP_COOKIE_VARS as $key=>$val) $$key = $val;
> >
> >And yes, I have run across code like this.
>
> If somebody wants to shoot himself in the head, he's quite welcome to do
> it. But when you hand a gun over to somebody, you don't point it at his
> head, but safely hand it to his hands. What he does afterwards is his own
> business (assuming he doesn't come after you :)
>
I think Rasmus is right. We've been shooting the guy in the head for the last
few years while register_globals was/is on. People incorporating other PHP
libraries like Horde/PHPLIB (just examples) and what have you, will immediately
break, even after they fix their own code, the third party libraries will still
be broken. This means that the library maintainers will be under significant
pressure to release a patch; fixing the code to use a safer method of accessing
user data. My guess is the above patch is what will make it in, not because the
guy doesn't understand it's bad, but he was already shot in the head by the
default php.ini setting and so he's not really _losing_ anything now.
--
John Donagher
Application Engineer
Intacct Corp. - Powerful Accounting on the Web
408-395-0989
720 University Ave.
Los Gatos CA 95032
www.intacct.com
Public key available off http://www.keyserver.net
Key fingerprint = 4024 DF50 56EE 19A3 258A D628 22DE AD56 EEBE 8DDD
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
