On Sat, 28 Jul 2001, Zeev Suraski wrote:

> Anyway, to be more constructive - Andi had an idea when we were catching a
> cab earlier today (yesterday).  His idea (which I'm just pitching, we
> haven't thought this through at all yet) is that instead of having
> register_globals on, or off, we would have it as unset, by default.  When
> unset (i.e., on new installations) - PHP will not run, but instead display
> information about register_globals, its security implications, examples,
> and a general recommendation to turn it off if at all possible.

I think one issue here is that people are so used to using certain
kind of language syntax that they're simply overestimating the effort
of typing $_{GET,POST}['foo'] when needed. With some time to
get used to it, I think most of the people will see why this is a good
idea. Your idea sounds like something that might help with this.

One thing that would further this cause would be to explain how to
start converting your existing codebase to be more secure in
small chunks.

I have no experience with other web servers than Apache, but with
Apache I use for my own homepages a .htaccess similar to the one
below. I have similar settings for many virtual hosts and directories
in the server configuration files.

# Security
php_flag          register_globals Off

# Error tracking / displaying / logging
php_value         error_reporting 2047
php_flag          display_errors Off
php_flag          log_errors On
php_value         error_log '<REPLACE_ME>'
php_flag          track_errors On

> Zeev

          Heikki Korpela -- [EMAIL PROTECTED] -- http://iki.fi/heko/

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to