-Original Message-
From: John Holmes [mailto:[EMAIL PROTECTED]
You are wrong. :)
Having register_globals OFF helps to prevent poorly written programs
from being vulnerable to
users setting variables in the URL/header/cookie data. You can still
write horribly insecure
programs with register_globals OFF. You can easily write very secure
programs that function
with register_globals ON or OFF, too.
http://us2.php.net/manual/en/security.globals.php
Exactly. It's merely there so that beginning developers don't blindly
stumble forward making bad decisions - give them a sense that there's
this thing called input checking and initialization. That said, it's a
shame that there are still commercial programs that rely on it - solely
because it defaults to off since 4.2 and many people may not have the
access to change it*. One would want to avoid as much technical support
as necessary, in such instances :)
Personally I prefer explicitly pulling data into my scripts, so I like
it being OFF regardless of defaults, but others may have other opinions.
* I know it can be changed in .htaccess, I just don't know what options
the server needs to be running under for this - AllowOverride ALL
certainly - but I would hope something more lax would allow it. Still,
it seems being able to change that would give the user the ability to
change the max_memory/max_execution_time of php scripts - which I can't
imagine any reselling host wanting a shell/etc. account doing.
Cheers,
- Martin Norland, Database / Web Developer, International Outreach x3257
The opinion(s) contained within this email do not necessarily represent
those of St. Jude Children's Research Hospital.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
