Hello, on 06/18/2006 04:19 AM Satyam said the following: >> Good code won't be vulnerable to register_globals either, but having >> register_globals on is a security problem because there are security >> flaws >> that can only be exploited when register_globals is enabled. >> > > Actually, code quality cannot overcome the vulnerability of > register_globals. Every program will have global variables. > register_globals=on may overwrite a valid global variable, one totally > unrelated to user input, with a value coming from the request, and there > is nothing good coding can do about it. The chances that an external > user might hit the right variable name are slim (unless a disgruntled > former programmer) but they exist.
There is a big misunderstanding about this matter. Having register globals on does not make PHP overwrite global variables. It rather may initialize global variables with values related to the request. There may only be a problem with scripts that assumed those global variables would not be initialized before the start of a script. Even if there is a problem due to a distraction of the developer, it may not even be necessarily a security problem. If you initialize your script global variables properly, having register globals on will never be a problem to you. You may also read this as, if you are a competent developer, you will not make these silly mistakes, especially by now when we all are so over the issue and triple checked our code bases. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
