Re: [PHP] The so-called improvment in PHP 4.2.0
Miguel Cruz wrote: > > On Tue, 23 Apr 2002, Rouvas Stathis wrote: > >Miguel Cruz wrote: > >> > >> On Mon, 22 Apr 2002, Leif K-Brooks wrote: > >>> I use $formvar for form processing, I don't use the arrays. This is how I > >>> was taught to do it. If my host upgrades to 4.2.0, my website is as good as > >>> gone! What am I supposed to do?! > >> > >> Fix them! This direction was first announced in 4Q1999; 2.5 years ought to > >> be enough preparation time. > > > > No, it isn't! For anything that breaks old functionality, 'forever' is > > not enough time. > > It doesn't break old functionality. You just have to read the manual. > Either leave your php.ini file untouched from your earlier installation > (which is not a difficult undertaking), or override the global import > feature on a site-by-site (or directory-by-directory) basis using your web > server's configuration tools. Yes, you could do that. But then again, what happens if you have to use a piece of code that someone else has written that did not take the new habbit into account? A number of interesting questions arise when you have to operate that code alogn with newer one. Oh well, I guess everything must change. After all, managing change is what we humans do, don't we:-) > > >> This change improves your security, so it'd be rational to be happy about > >> it. > > > > No it doesn't. It just provides another excuse for lazy programming. > > Nothing will save a lazy programmer or one that doesn't understand basic > > principles. > > I disagree. You cannot expect everyone to be perfect. The fact is that > people make mistakes and go through a learning process, and anything that > helps them through this is a benefit to all. Otherwise why have any > security features at all? Firewalls encourage lazy programming! Locks and > police encourage lazy domestic vigilance! It's just that I don't see any security value in superglobals. If someone does not know enough, he/she will make the same mistake with or without superglobals (from security's point of view). As far as "lazy programming", please refer to my previous post. -Stathis. > > And it's not lazy to assume a variable starts with value NULL, in a > language with no storage declaration requirements and where the > documentation says that variables start with value NULL. Just because C or > Pascal require you to do something, doesn't mean that you are being lazy > for not doing it elsewhere. > > miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
On Tuesday, April 23, 2002, at 11:46 AM, Rouvas Stathis wrote: > Preventing namespace pollution...now you convince me. > > I used the term "lazy programming" without explaining what I meant, > hence the misunderstanding. I refer to "lazy programming" in the sense > of not properly and thoroughly checking user input, or as I believe, any > input from external to you code sources. If you don't do that I don't > believe that anything will save you. Promoting superglobals as a > security enhanchment, no I don't buy that. Yes, two different interpretations of laziness. The coder must still be vigillant regarding user input, and check everything. But superglobals, imho do tend to reduce the sloppiness of the final code. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
Erik Price wrote: > > On Tuesday, April 23, 2002, at 06:48 AM, Rouvas Stathis wrote: > > >> This change improves your security, so it'd be rational to be happy > >> about > >> it. > > > > No it doesn't. It just provides another excuse for lazy programming. > > Nothing will save a lazy programmer or one that doesn't understand basic > > principles. > > While I agree that it doesn't improve security much if the coder was > already using $HTTP_SESSION_VARS (which he/she should have been doing), > it definitely does not promote lazy programming. If anything, > registering all the variables as global promotes lazy programming! > Sure, it's convenient to be able to access a variable with this shorter > method, but do you really want all of these different session variables, > post variables, get variables, cookie variables, and server variables > sharing the same global namespace/scope? (I use that last term loosely.) Preventing namespace pollution...now you convince me. I used the term "lazy programming" without explaining what I meant, hence the misunderstanding. I refer to "lazy programming" in the sense of not properly and thoroughly checking user input, or as I believe, any input from external to you code sources. If you don't do that I don't believe that anything will save you. Promoting superglobals as a security enhanchment, no I don't buy that. -Stathis. > > IMHO that is much lazier than using superglobals with register_globals > off. > > Erik > > > > Erik Price > Web Developer Temp > Media Lab, H.H. Brown > [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
On Tue, 23 Apr 2002, Rouvas Stathis wrote: >Miguel Cruz wrote: >> >> On Mon, 22 Apr 2002, Leif K-Brooks wrote: >>> I use $formvar for form processing, I don't use the arrays. This is how I >>> was taught to do it. If my host upgrades to 4.2.0, my website is as good as >>> gone! What am I supposed to do?! >> >> Fix them! This direction was first announced in 4Q1999; 2.5 years ought to >> be enough preparation time. > > No, it isn't! For anything that breaks old functionality, 'forever' is > not enough time. It doesn't break old functionality. You just have to read the manual. Either leave your php.ini file untouched from your earlier installation (which is not a difficult undertaking), or override the global import feature on a site-by-site (or directory-by-directory) basis using your web server's configuration tools. >> This change improves your security, so it'd be rational to be happy about >> it. > > No it doesn't. It just provides another excuse for lazy programming. > Nothing will save a lazy programmer or one that doesn't understand basic > principles. I disagree. You cannot expect everyone to be perfect. The fact is that people make mistakes and go through a learning process, and anything that helps them through this is a benefit to all. Otherwise why have any security features at all? Firewalls encourage lazy programming! Locks and police encourage lazy domestic vigilance! And it's not lazy to assume a variable starts with value NULL, in a language with no storage declaration requirements and where the documentation says that variables start with value NULL. Just because C or Pascal require you to do something, doesn't mean that you are being lazy for not doing it elsewhere. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
On Tuesday, April 23, 2002, at 06:48 AM, Rouvas Stathis wrote: >> This change improves your security, so it'd be rational to be happy >> about >> it. > > No it doesn't. It just provides another excuse for lazy programming. > Nothing will save a lazy programmer or one that doesn't understand basic > principles. While I agree that it doesn't improve security much if the coder was already using $HTTP_SESSION_VARS (which he/she should have been doing), it definitely does not promote lazy programming. If anything, registering all the variables as global promotes lazy programming! Sure, it's convenient to be able to access a variable with this shorter method, but do you really want all of these different session variables, post variables, get variables, cookie variables, and server variables sharing the same global namespace/scope? (I use that last term loosely.) IMHO that is much lazier than using superglobals with register_globals off. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
Miguel Cruz wrote: > > On Mon, 22 Apr 2002, Leif K-Brooks wrote: > > I use $formvar for form processing, I don't use the arrays. This is how I > > was taught to do it. If my host upgrades to 4.2.0, my website is as good as > > gone! What am I supposed to do?! > > Fix them! This direction was first announced in 4Q1999; 2.5 years ought to > be enough preparation time. No, it isn't! For anything that breaks old functionality, 'forever' is not enough time. > > This change improves your security, so it'd be rational to be happy about > it. No it doesn't. It just provides another excuse for lazy programming. Nothing will save a lazy programmer or one that doesn't understand basic principles. -Stathis. > > In any case, you can probably override it for your web space with a > .htaccess directive, should you want to persist in your resistance to > positive change. > > Also, if you were taught to do it the $formvar way in the past year or so, > you should find the person who taught you and tweak their nose. > > miguel > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
On Mon, 22 Apr 2002, Leif K-Brooks wrote: > I use $formvar for form processing, I don't use the arrays. This is how I > was taught to do it. If my host upgrades to 4.2.0, my website is as good as > gone! What am I supposed to do?! Fix them! This direction was first announced in 4Q1999; 2.5 years ought to be enough preparation time. This change improves your security, so it'd be rational to be happy about it. In any case, you can probably override it for your web space with a .htaccess directive, should you want to persist in your resistance to positive change. Also, if you were taught to do it the $formvar way in the past year or so, you should find the person who taught you and tweak their nose. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
On Mon, 22 Apr 2002, Leif K-Brooks wrote: > The only problem with that is that I have at least 50 scripts that are using > the old thing! You could auto_prepend the file which has the code for "backwards compatibility" of the variables. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] The so-called improvment in PHP 4.2.0
Also see extract() and import_request_variables()
Although, an upgrade to PHP 4.2.0 is not going to automatically disable
register_globals. Upgrading PHP does not overwrite the existing php.ini
file, so unless you ISP specifically changes this php.ini setting, nothing
will change.
-Rasmus
On Mon, 22 Apr 2002, Alok K. Dhir wrote:
> Change your scripts. It's relatively easy to cause variables in the
> superglobal arrays to be set in the global namespace. Code samples for
> this appear in various places in the the user contributed notes in the
> PHP documentation.
>
> A quick and dirty working example:
>
> foreach (array_merge($_POST,$_GET) as $key=>$val) {
> global $$key;
> $$key=$val;
> }
>
> If you include the above at the top of all your existing scripts, they
> should continue to function.
>
> As always, caveat emptor...
>
> Alok
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED].
> > net] On Behalf Of Leif K-Brooks
> > Sent: Monday, April 22, 2002 5:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP] The so-called improvment in PHP 4.2.0
> >
> >
> > I use $formvar for form processing, I don't use the arrays.
> > This is how I was taught to do it. If my host upgrades to
> > 4.2.0, my website is as good as gone! What am I supposed to do?!
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
The only problem with that is that I have at least 50 scripts that are using the old thing! on 4/22/02 5:14 PM, Adam Voigt at [EMAIL PROTECTED] wrote: Umm, use $_POST or $_GET or $_REQUEST from now on. Adam Voigt [EMAIL PROTECTED]
Re: [PHP] The so-called improvment in PHP 4.2.0
On Mon, Apr 22, 2002 at 05:10:34PM -0400, Leif K-Brooks wrote: : : I use $formvar for form processing, I don't use the arrays. This is how I : was taught to do it. If my host upgrades to 4.2.0, my website is as good as : gone! What am I supposed to do?! Learn the new method. Or RTFM. http://www.php.net/manual/en/html/language.variables.predefined.html -- Eugene Lee [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] The so-called improvment in PHP 4.2.0
Change your scripts. It's relatively easy to cause variables in the
superglobal arrays to be set in the global namespace. Code samples for
this appear in various places in the the user contributed notes in the
PHP documentation.
A quick and dirty working example:
foreach (array_merge($_POST,$_GET) as $key=>$val) {
global $$key;
$$key=$val;
}
If you include the above at the top of all your existing scripts, they
should continue to function.
As always, caveat emptor...
Alok
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED].
> net] On Behalf Of Leif K-Brooks
> Sent: Monday, April 22, 2002 5:11 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] The so-called improvment in PHP 4.2.0
>
>
> I use $formvar for form processing, I don't use the arrays.
> This is how I was taught to do it. If my host upgrades to
> 4.2.0, my website is as good as gone! What am I supposed to do?!
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The so-called improvment in PHP 4.2.0
Umm, use $_POST or $_GET or $_REQUEST from now on. Adam Voigt [EMAIL PROTECTED] On Mon, 22 Apr 2002 17:10:34 -0400, Leif K-Brooks <[EMAIL PROTECTED]> wrote: > I use $formvar for form processing, I don't use the arrays. This is how I > was taught to do it. If my host upgrades to 4.2.0, my website is as good as > gone! What am I supposed to do?! > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
