Erik Price wrote:
> On Tuesday, April 23, 2002, at 06:48  AM, Rouvas Stathis wrote:
> >> This change improves your security, so it'd be rational to be happy
> >> about
> >> it.
> >
> > No it doesn't. It just provides another excuse for lazy programming.
> > Nothing will save a lazy programmer or one that doesn't understand basic
> > principles.
> While I agree that it doesn't improve security much if the coder was
> already using $HTTP_SESSION_VARS (which he/she should have been doing),
> it definitely does not promote lazy programming.  If anything,
> registering all the variables as global promotes lazy programming!
> Sure, it's convenient to be able to access a variable with this shorter
> method, but do you really want all of these different session variables,
> post variables, get variables, cookie variables, and server variables
> sharing the same global namespace/scope?  (I use that last term loosely.)

Preventing namespace you convince me.

I used the term "lazy programming" without explaining what I meant,
hence the misunderstanding. I refer to "lazy programming" in the sense
of not properly and thoroughly checking user input, or as I believe, any
input from external to you code sources. If you don't do that I don't
believe that anything will save you. Promoting superglobals as a
security enhanchment, no I don't buy that.


> IMHO that is much lazier than using superglobals with register_globals
> off.
> Erik
> ----
> Erik Price
> Web Developer Temp
> Media Lab, H.H. Brown

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to