Patrick Teague wrote:
> Hello,
> Considering all of this...  Would it be better simply to turn
> register_globals = On if the vast majority of the stuff you have on your
> site is simple search engine type stuff and/or GET variables?

Well, such stuff needs NOT security, nedless to say. But *any* site 
needs to work properly. Besides, having the register_globals off does 
not require gigantic mental efforts to get your values.

Personally I think that a register_globals off environment is educative, 
in that it forces you to think about the way data gets passed a bit more 
than usually. And an aware programmer is better then one who just 
"believes" in the fact that his next script is gonna get the stuff it 

But whether you have your register_globals on or off variable content 
validation is still up to your own code, and that's where 99% of 
security lies. Blocking the globals just bloks anyone from poisoning an 
*internal* variable of your scripts, legally passed values must be 
validated as they where before.



LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to