On Saturday, July 28, 2001, at 12:52  PM, Zeev Suraski wrote:
> At 06:01 28/07/2001, Phil Driscoll wrote:
>>  I and no doubt thousands of others will turn
>> register_globals on because it gives much more readable code, 
>> much less
>> typing and does not IMHO add one jot to the security of my 
>> applications.
> I have no doubt that thousands would turn it back on.  I can't 
> do anything about it, and as I said numerous times in numerous 
> metaphors, I'm quite alright with that.

I have roughly 2,000 files to fix before I can use it with my 
biggest client.... :-)

>   I also can't imagine people avoiding PHP because variables 
> are accessed using $_FORM['foo'], instead of $foo.  People are 
> not *THAT* dumb or lazy.  Discussing this issue in the OSCon, 
> Rasmus claimed that right now he can teach PHP to a monkey in 3 
> hours, and he wouldn't want to be limited only to smart 
> Gorillas in the future.  I firmly believe that if a monkey can 
> figure out $foo, $_FORM['foo'] is not going to be the 
> showstopper.

Well, there's two *new* learning curves for the 
never-programmed-before user (monkey?).
1. Understanding arrays. The newest of the newbies are still 
trying to grok strings, and concepts like "get" or "post".
2. They have almost no examples, whatsoever, to use, for 
learning how to work with variables in this manner.

Both of these issues, combined, increase the "monkey" factor. 
Most online and printed tutorials available do not use 
HTTP_*_VARS (or any future TBI vars shorthand). The example 
code, all over php.net and zend.com, does not use it. Even if we 
encourage them to consider it "the right thing" to do, they 
don't really know how to go about doing it. I went to 
google.com, and typed in "PHP tutorials",and started looking 
http://hotwired.lycos.com/webmonkey/99/21/index2a.html <- 
Explains HTTP_POST_VARS, but doesn't use it.
http://www.devshed.com/Server_Side/PHP/ <- Many tutorials, 
looked at a few, none used it.
http://www.linuxguruz.org/z.php <- Many tutorials, looked at a 
few, none used it.
http://www.phpdeveloper.org/ <- Many tutorials, looked at a few, 
none used it.

I think, perhaps, that this is one of the reasons that so much 
of the PHP codebase isn't usable with register_globals = off. 
The learning curve is steep, because it's basically 
undocumented, in terms of tutorials, examples, downloadable 
snippets/functions, etc. So we have a chicken/egg problem, where 
the new monkey has to make a big jump, and use a relatively 
hidden method of acccessing variables, because almost every 
tutorial on PHP is "wrong". Even the smart gorillas, (the ones 
writing the tutorials), aren't using it, probably because they 
never learned how/why to use it.. If we can fix #2, #1 may not 
require as much effort. As it currently stands, if would be akin 
to releasing a version of PHP where we suddenly required them 
(by default, disable if needed) to change every variable they 
used from $foo to %[foo].

So, beyond my normal ramble:
If we were to do this, we might want to start by putting 
examples in place, if only to show users _how_ to do it. Even if 
we don't, we still need to start populating examples, if only to 
show users how they _can_ work with register globals= off.


[EMAIL PROTECTED], 520-326-6109, http://www.opus1.com/ron/
The opinions expressed in this email are not necessarily those 
of myself,
my employers, or any of the other little voices in my head.

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to