Re: [PHP-DEV] Security Issues

Fri, 27 Jul 2001 08:43:28 -0700 

I have been watching this thread for too long and I can no longer resist commenting.

If a programmer does not initialize SECURE variables properly, he is going to make far 
worse
security decisions in his software. Next thing we are going to hear is that php does 
not auto TAINT check
parsed variables. I personally disagree with making register_globals=off a default. I 
really don't  think it will
make that big of a difference, and come on everyone, this is one of the coolest 
features of php.



-Jason

----- Original Message ----- 
From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
To: "Alexander Wagner" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, July 27, 2001 9:37 AM
Subject: Re: [PHP-DEV] Security Issues


> > Peter Petermann wrote:
> > > > I fully agree here with Rasmus and I also think this will
> > > > be the workaround for most people -- if one _does_ care
> > > > about security, he even knows what and how to do nowadays.
> > > > I don't think turning register_globals to off will evangelize
> > > > people to develop more secure scripts/applications.
> > >
> > > thats it.
> >
> > I see your point, but I disagree.
> > Register_globals is a lanugage-feature which can result in
> > security-gaps when people don't initialize their variables.
> > It's a common mistake, a pitfall, especially for beginners, that could
> > be resolved by turning register_globals off.
> 
> And is resolved by turning on E_NOTICE.
> 
> > Please, can you say "beginner"? Once people read that kind of stuff,
> > they are not beginners any more. They aren't the problem.
> >
> > You can't force people to write secure applications, but you can make
> > it easier.
> 
> Or you can simply stop these people from using PHP which is another effect
> turning off register_globals will have.
> 
> Java does not have this problem because Java is so complex that this same
> set of users can not program in Java.  Fixing this problem by making PHP
> more complex and eliminating these "problem" users is a bad idea as far as
> I am concerned.
> 
> -Rasmus
> 
> 
> -- 
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 
> 


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to