Switch register_globals back on, and everything works as it always did. So do it!
All this fuss about register_globals being insecure is a complete load of rubbish. This issue really bores me, but it seems programmers are wasting a lot of time on it, so I guess I'd better run through the arguments one more time...
1. You can never know whether the input to your script came from a real GET, a COOKIE, or a POST. It's very easy to create a simulated GET, COOKIE or POST. You don't even need a programming language if you've got the right tools. Even with php, (hardly a typical hacking tool), it's only a few lines of code.
2. That means that checking to make sure a variable was specifically a GET, COOKIE or POST variable has no security value whatsoever.
3. On the other hand, not worrying about how your script got its request variables (i.e. register globals is on) is intrinsically sound programming practice. Your code should work and your logic should be sound regardless of what happened before your script got executed. It's one of the great advantages of the internet. For example, on searches, you can have exactly the same search code and results page driven from a search form, or a link on another page, or a remote http request. You code once, but your code can be used in many different ways.
4. In any case, register globals off only protects the sloppy programmer from the sloppy hacker. It doesn't stop the good programmer from being as cautious as they like. You can already control the order in which variables are registered e.g. to make POST variables always override COOKIES or vice versa. And, you can, if you really need to, double-check with the global variables, HTTP_POST_VARS etc.
5. When it comes to access control, (which seems to be where the bogus security argument starts), there is only one safe approach. That is to require that a valid username and password are supplied with every request and then check them in every script. It's not hard, it doesn't take long and it's the proper way to do it. There's a whole section of the http protocol, http authentication, which is designed precisely to make this easy.
But hey, don't worry about all this guff. Just switch register globals back on. If your system administrator/ISP won't let you, just refer them to this mail and tell them I'd be happy to explain anything they don't get.
Keep it simple!
George
[EMAIL PROTECTED] wrote:
Hi all!
I'm using Apache 2.0.45, PHP 4.3.2RC4, and MySQL 3.23.49 on Windows 2003 Server Standard.
I have a problem passing variables between pages. They simply get lost. Neither GET nor POST pass values, and even "hardcoding" them into the URL, like
htpp://localhost/comeon.php?aVariable=ding&anotherVariable=dong
and putting this in comeon.php:
echo("Values: $aVariable, $anotherVariable");
only outputs
Values: ,
...I've tried with RC3 of PHP, even 4.3.1, but it doesn't work. I've used PHP on my machine with Apache 2 before, and it worked fine. Actually I used the same scripts fine on my old config. This was on XP however, so I'm not sure if it's got something to do with the OS. I'm hoping it's a configuration issue.
Any ideas are VERY much appreciated =).
Thanks, Daniel
» There are 10 kinds of people - those who know binary and those who don't. «
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
