If you forget to initialize your internal script variables, then people
could potentially inject bogus values for these variables and change how
your script operates.  eg.

   if($password=='david') $ok=1;

   if($ok) let_them_in();

In the above, assume $password is a user-supplied value and $ok is an
internal script variable.  Now, since $ok was never initialized to 0 then
the user could supply ok=1 and get into let_them_in() regardless of the
value of $password.

Now, if you make your code E_ALL clean and make sure you initialize your
internal variables, you are correct, having register_globals on is cleaner
and easier to deal with.

-Rasmus

On Mon, 19 Aug 2002, David Rice wrote:

> Hi:
>
> I have a test site where I am trying out a few things in PHP. I started
> off with  register_globals on. Then I read in the docs that it is best
> to turn turn register_globals off. I did so and now I am having a
> marvelous time recoding some session stuff :(
> I could not find much info on why "register_globals on" is a bad thing.
> Seems to me that code is much cleaner with them on. What's the down side?
>
> Cheers,
> David
>
> On Monday, August 19, 2002, at 05:05 PM, Rasmus Lerdorf wrote:
>
> > Sure, turn register_globals on only for the oasis directory.  In your
> > httpd.conf add:
> >
> > <Directory /some/path/oasis>
> >     php_value register_globals on
> > </Directory>
> >
> > -Rasmus
> >
> > On Mon, 19 Aug 2002, Andy wrote:
> >
> >> Hi there,
> >>
> >> I am running php 4.2.2 with register globals set to off. Now I am
> >> planing to
> >> install oasis (a add tracking sw). Their current version requires a php
> >> build with register globals set to on!?
> >>
> >> Is there a way out of this dilema running only one server?
> >>
> >> Thanx for any advice,
> >>
> >> Andy
> >>
> >>
> >>
> >>
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to