On Sunday 30 June 2002 23:12, PHPCoder wrote: > Hi > Going through some literature, it seems like the use of registered > globals can cause security issues. Now, the dilemma, all my previous PHP > installations ( for the last year or so ) have come with register > globals = on in the php.ini file by default, and users on my system has > happily coded their websites using this function. > Now , with all the new versions of PHP, the registered globals are > turned off in the ini and will basically cause all those previous sites > not to function. Which means that I'm between a rock and a hard place, > turn the register globals back on and carry on with the security risks, > or keep it off and have all those people re-code their sites... > Is there a more "gentle" solution out there? Am I just misunderstanding > the issue? > Any light on the matter will be appreciated.
I don't there are any "gentle" approaches to this. People will have to bite the bullet sooner or later. What may help slightly is the fact that you can have different settings for register_globals for each virtual host. Thus the global setting for register_globals, ie php.ini, can be off. Then for each of your users who have not yet recoded, enable register_globals in their virtual host setting. Thus the people who have bothered to recode will be able to benefit from a more secure application without being affected by the people who have not yet recoded. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Depart in pieces, i.e., split. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
