Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Sterling Hughes
On Mon, 30 Jul 2001, Ramsi Sras wrote: Hey, idiot. you can just send a message to [EMAIL PROTECTED], stop spamming my mailbox, or else you'll be subscribed to alot more mailing lists than you ever wanted. -Sterling > UNSUBSCRIBE ME PLEASE!!UNSUBSCRIBE ME PLEASE!

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Jeffrey A . Stuart
AMEN! I PERSONALLY DO NOT consider it a PIA to have to access the variables via $HTTP_POST... What I USUALLY do is something like this: $fldform_var1 = $HTTP_POST_VARS[form_var1]; etc. This way, I'm GUARENETEED that I got the variable FROM the location that I was expecting. Then, I refer throu

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Stephen van Egmond
Zeev Suraski ([EMAIL PROTECTED]) wrote: > I don't think we can change the behavior of empty() at this stage... isempty()? -- PHP Development Mailing List To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list admin

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Zeev Suraski
At 01:22 30/07/2001, Phil Driscoll wrote: >I agree - to my mind empty is broken in this respect and also in the respect >that it returns true for a string containing '0'. Consequently I (and I >assume everyone else, unless I'm missing some occasion that this behaviour is >useful) can never use emp

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Phil Driscoll
On Sunday 29 July 2001 19:42, Stephen van Egmond wrote: >will produce warnings if $x is not set. If you don't want the >warnings, you have to replace it with: > > if (isset($x) && $x) { > } > >"if it's set and it's true"...? ugh. > > One is then tempted to look for replace

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Ramsi Sras
UNSUBSCRIBE ME PLEASE!!UNSUBSCRIBE ME PLEASE!!UNSUBSCRIBE ME PLEASE!!UNSUBSCRIBE ME PLEASE!!UNSUBSCRIBE ME PLEASE!!UNSUBSCRIBE ME PLEASE!! Zeev Suraski schrieb: At 21:34 29/07/2001, Stephen van Egmond wrote: >Zeev Suraski ([E

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Ramsi Sras
UNSUBSCRIBE ME PLEASE!! Stephen van Egmond schrieb: Zeev Suraski ([EMAIL PROTECTED]) wrote: > - register_globals=on leads to insecure code, which was demonstrated time > and time again in the past. > - Once it's off, we're going to provide methods of accessing variables > which are ju

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-30 Thread Ramsi Sras
UNSUBSCRIBE ME PLEASE!! Stephen van Egmond schrieb: Rasmus Lerdorf ([EMAIL PROTECTED]) wrote: > Think about whether in each of these cases it would have happened if the > developers of the app had developed with E_NOTICE on.  In a high number of > these cases it probably wouldn't.  An

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-29 Thread Zeev Suraski
At 21:34 29/07/2001, Stephen van Egmond wrote: >Zeev Suraski ([EMAIL PROTECTED]) wrote: > > - register_globals=on leads to insecure code, which was demonstrated time > > and time again in the past. > > - Once it's off, we're going to provide methods of accessing variables > > which are just as eas

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-29 Thread Rasmus Lerdorf
> I was trying to step back a bit and identify some of the patterns in > the attacks identified in the paper. One extremely popular pattern was > spoofing variables by overwriting them: GET variables overwriting > POST, usually, and I suggested that some SAPI stunt be pulled to catch > that. Tha

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-29 Thread Stephen van Egmond
Zeev Suraski ([EMAIL PROTECTED]) wrote: > - register_globals=on leads to insecure code, which was demonstrated time > and time again in the past. > - Once it's off, we're going to provide methods of accessing variables > which are just as easy, and quite easier in case you access them from > fu

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-29 Thread Zeev Suraski
What you ignored completely are three facts: - register_globals=on leads to insecure code, which was demonstrated time and time again in the past. - Once it's off, we're going to provide methods of accessing variables which are just as easy, and quite easier in case you access them from functio

Re: [PHP-DEV] Security Issues - a bit of my experience

2001-07-29 Thread Stephen van Egmond
Rasmus Lerdorf ([EMAIL PROTECTED]) wrote: > Think about whether in each of these cases it would have happened if the > developers of the app had developed with E_NOTICE on. In a high number of > these cases it probably wouldn't. And if this number is close to 100%, > then it would point to the f