Miguel Cruz wrote:
> On Tue, 23 Apr 2002, Rouvas Stathis wrote:
> >Miguel Cruz wrote:
> >>
> >> On Mon, 22 Apr 2002, Leif K-Brooks wrote:
> >>> I use $formvar for form processing, I don't use the arrays.  This is how I
> >>> was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
> >>> gone!  What am I supposed to do?!
> >>
> >> Fix them! This direction was first announced in 4Q1999; 2.5 years ought to
> >> be enough preparation time.
> >
> > No, it isn't! For anything that breaks old functionality, 'forever' is
> > not enough time.
> It doesn't break old functionality. You just have to read the manual.
> Either leave your php.ini file untouched from your earlier installation
> (which is not a difficult undertaking), or override the global import
> feature on a site-by-site (or directory-by-directory) basis using your web
> server's configuration tools.

Yes, you could do that. But then again, what happens if you have to use
a piece of code that someone else has written that did not take the new
habbit into account? A number of interesting questions arise when you
have to operate that code alogn with newer one. Oh well, I guess
everything must change. After all, managing change is what we humans do,
don't we:-)

> >> This change improves your security, so it'd be rational to be happy about
> >> it.
> >
> > No it doesn't. It just provides another excuse for lazy programming.
> > Nothing will save a lazy programmer or one that doesn't understand basic
> > principles.
> I disagree. You cannot expect everyone to be perfect. The fact is that
> people make mistakes and go through a learning process, and anything that
> helps them through this is a benefit to all. Otherwise why have any
> security features at all? Firewalls encourage lazy programming! Locks and
> police encourage lazy domestic vigilance!

It's just that I don't see any security value in superglobals. If
someone does not know enough, he/she will make the same mistake with or
without superglobals (from security's point of view).
As far as "lazy programming", please refer to my previous post.


> And it's not lazy to assume a variable starts with value NULL, in a
> language with no storage declaration requirements and where the
> documentation says that variables start with value NULL. Just because C or
> Pascal require you to do something, doesn't mean that you are being lazy
> for not doing it elsewhere.
> miguel

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to