At 07:37 27/07/2001, Rasmus Lerdorf wrote:
> >> I see your point, but I disagree.
> > Register_globals is a lanugage-feature which can result in
> > security-gaps when people don't initialize their variables.
> > It's a common mistake, a pitfall, especially for beginners, that could
> > be resolved by turning register_globals off.
>
>And is resolved by turning on E_NOTICE.
That's simply not true. It can solve it only in a subset of the cases,
maybe a fairly large subset, but definitely not anywhere close to
100%. From my experience it'd be perhaps half of the cases, and it would
especially be useless with those apps which were written by good coders,
that use isset(), and that were written to be E_NOTICE free.
> > Please, can you say "beginner"? Once people read that kind of stuff,
> > they are not beginners any more. They aren't the problem.
> >
> > You can't force people to write secure applications, but you can make
> > it easier.
>
>Or you can simply stop these people from using PHP which is another effect
>turning off register_globals will have.
That's also not true. Is using $foo all that better than $_GET["foo"]? I
don't think so. As a matter of fact, the 2nd alternative is probably going
to be preferred by a fair amount of users, as it's much clearer what you're
dealing with.
>Java does not have this problem because Java is so complex that this same
>set of users can not program in Java. Fixing this problem by making PHP
>more complex and eliminating these "problem" users is a bad idea as far as
>I am concerned.
But it isn't. It's by fixing an inherent design flaw in PHP. The proposed
target situation is *NOT* any more difficult to the users than the
situation is today. Yes, there's going to be some great deals of pain for
those who migrate, but new comers will find it equally easy (at the least),
and old users will be made aware, quite clearly, that this feature is
unsafe. They can always turn it back on if they wish to take the
chances. Right now, we're taking the chances for them.
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
