At 08:58 27/07/2001, Jason Greene wrote:
>I have been watching this thread for too long and I can no longer resist
>commenting.
>
>If a programmer does not initialize SECURE variables properly, he is going
>to make far worse
>security decisions in his software. Next thing we are going to hear is
>that php does not auto TAINT check
>parsed variables. I personally disagree with making register_globals=off a
>default. I really don't think it will
>make that big of a difference, and come on everyone, this is one of the
>coolest features of php.
Fact is that for many scripts (I'd argue most), this issue alone is going
to be the one and only security issue he'd bump to. It's all too
common. It's true that given other security 'decisions' he may have to
make, he may make wrong decisions. What's argued here is that
register_globals=off gives a clean, harmless looking way of shooting
yourself in the foot.
I also don't subscribe to the idea that it's one of the coolest features of
PHP because it's a global variable. Auto registration of form variables is
equally cool if it's made in a secure way, instead of the security pitfall
we have right now.
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
