Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-23 Thread Rouvas Stathis

Miguel Cruz wrote:
> 
> On Tue, 23 Apr 2002, Rouvas Stathis wrote:
> >Miguel Cruz wrote:
> >>
> >> On Mon, 22 Apr 2002, Leif K-Brooks wrote:
> >>> I use $formvar for form processing, I don't use the arrays.  This is how I
> >>> was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
> >>> gone!  What am I supposed to do?!
> >>
> >> Fix them! This direction was first announced in 4Q1999; 2.5 years ought to
> >> be enough preparation time.
> >
> > No, it isn't! For anything that breaks old functionality, 'forever' is
> > not enough time.
> 
> It doesn't break old functionality. You just have to read the manual.
> Either leave your php.ini file untouched from your earlier installation
> (which is not a difficult undertaking), or override the global import
> feature on a site-by-site (or directory-by-directory) basis using your web
> server's configuration tools.

Yes, you could do that. But then again, what happens if you have to use
a piece of code that someone else has written that did not take the new
habbit into account? A number of interesting questions arise when you
have to operate that code alogn with newer one. Oh well, I guess
everything must change. After all, managing change is what we humans do,
don't we:-)

> 
> >> This change improves your security, so it'd be rational to be happy about
> >> it.
> >
> > No it doesn't. It just provides another excuse for lazy programming.
> > Nothing will save a lazy programmer or one that doesn't understand basic
> > principles.
> 
> I disagree. You cannot expect everyone to be perfect. The fact is that
> people make mistakes and go through a learning process, and anything that
> helps them through this is a benefit to all. Otherwise why have any
> security features at all? Firewalls encourage lazy programming! Locks and
> police encourage lazy domestic vigilance!

It's just that I don't see any security value in superglobals. If
someone does not know enough, he/she will make the same mistake with or
without superglobals (from security's point of view).
As far as "lazy programming", please refer to my previous post.

-Stathis.


> 
> And it's not lazy to assume a variable starts with value NULL, in a
> language with no storage declaration requirements and where the
> documentation says that variables start with value NULL. Just because C or
> Pascal require you to do something, doesn't mean that you are being lazy
> for not doing it elsewhere.
> 
> miguel

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-23 Thread Erik Price


On Tuesday, April 23, 2002, at 11:46  AM, Rouvas Stathis wrote:

> Preventing namespace pollution...now you convince me.
>
> I used the term "lazy programming" without explaining what I meant,
> hence the misunderstanding. I refer to "lazy programming" in the sense
> of not properly and thoroughly checking user input, or as I believe, any
> input from external to you code sources. If you don't do that I don't
> believe that anything will save you. Promoting superglobals as a
> security enhanchment, no I don't buy that.

Yes, two different interpretations of laziness.

The coder must still be vigillant regarding user input, and check 
everything.  But superglobals, imho do tend to reduce the sloppiness of 
the final code.


Erik






Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-23 Thread Rouvas Stathis

Erik Price wrote:
> 
> On Tuesday, April 23, 2002, at 06:48  AM, Rouvas Stathis wrote:
> 
> >> This change improves your security, so it'd be rational to be happy
> >> about
> >> it.
> >
> > No it doesn't. It just provides another excuse for lazy programming.
> > Nothing will save a lazy programmer or one that doesn't understand basic
> > principles.
> 
> While I agree that it doesn't improve security much if the coder was
> already using $HTTP_SESSION_VARS (which he/she should have been doing),
> it definitely does not promote lazy programming.  If anything,
> registering all the variables as global promotes lazy programming!
> Sure, it's convenient to be able to access a variable with this shorter
> method, but do you really want all of these different session variables,
> post variables, get variables, cookie variables, and server variables
> sharing the same global namespace/scope?  (I use that last term loosely.)

Preventing namespace pollution...now you convince me.

I used the term "lazy programming" without explaining what I meant,
hence the misunderstanding. I refer to "lazy programming" in the sense
of not properly and thoroughly checking user input, or as I believe, any
input from external to you code sources. If you don't do that I don't
believe that anything will save you. Promoting superglobals as a
security enhanchment, no I don't buy that.

-Stathis.

> 
> IMHO that is much lazier than using superglobals with register_globals
> off.
> 
> Erik
> 
> 
> 
> Erik Price
> Web Developer Temp
> Media Lab, H.H. Brown
> [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-23 Thread Miguel Cruz

On Tue, 23 Apr 2002, Rouvas Stathis wrote:
>Miguel Cruz wrote:
>> 
>> On Mon, 22 Apr 2002, Leif K-Brooks wrote:
>>> I use $formvar for form processing, I don't use the arrays.  This is how I
>>> was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
>>> gone!  What am I supposed to do?!
>> 
>> Fix them! This direction was first announced in 4Q1999; 2.5 years ought to
>> be enough preparation time.
> 
> No, it isn't! For anything that breaks old functionality, 'forever' is
> not enough time.

It doesn't break old functionality. You just have to read the manual.  
Either leave your php.ini file untouched from your earlier installation
(which is not a difficult undertaking), or override the global import
feature on a site-by-site (or directory-by-directory) basis using your web
server's configuration tools.

>> This change improves your security, so it'd be rational to be happy about
>> it.
> 
> No it doesn't. It just provides another excuse for lazy programming.
> Nothing will save a lazy programmer or one that doesn't understand basic
> principles.

I disagree. You cannot expect everyone to be perfect. The fact is that
people make mistakes and go through a learning process, and anything that
helps them through this is a benefit to all. Otherwise why have any
security features at all? Firewalls encourage lazy programming! Locks and
police encourage lazy domestic vigilance!

And it's not lazy to assume a variable starts with value NULL, in a 
language with no storage declaration requirements and where the 
documentation says that variables start with value NULL. Just because C or 
Pascal require you to do something, doesn't mean that you are being lazy 
for not doing it elsewhere.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-23 Thread Erik Price


On Tuesday, April 23, 2002, at 06:48  AM, Rouvas Stathis wrote:

>> This change improves your security, so it'd be rational to be happy 
>> about
>> it.
>
> No it doesn't. It just provides another excuse for lazy programming.
> Nothing will save a lazy programmer or one that doesn't understand basic
> principles.

While I agree that it doesn't improve security much if the coder was 
already using $HTTP_SESSION_VARS (which he/she should have been doing), 
it definitely does not promote lazy programming.  If anything, 
registering all the variables as global promotes lazy programming!  
Sure, it's convenient to be able to access a variable with this shorter 
method, but do you really want all of these different session variables, 
post variables, get variables, cookie variables, and server variables 
sharing the same global namespace/scope?  (I use that last term loosely.)

IMHO that is much lazier than using superglobals with register_globals 
off.


Erik





Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-23 Thread Rouvas Stathis

Miguel Cruz wrote:
> 
> On Mon, 22 Apr 2002, Leif K-Brooks wrote:
> > I use $formvar for form processing, I don't use the arrays.  This is how I
> > was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
> > gone!  What am I supposed to do?!
> 
> Fix them! This direction was first announced in 4Q1999; 2.5 years ought to
> be enough preparation time.

No, it isn't! For anything that breaks old functionality, 'forever' is
not enough time.

> 
> This change improves your security, so it'd be rational to be happy about
> it.

No it doesn't. It just provides another excuse for lazy programming.
Nothing will save a lazy programmer or one that doesn't understand basic
principles.

-Stathis.

> 
> In any case, you can probably override it for your web space with a
> .htaccess directive, should you want to persist in your resistance to
> positive change.
> 
> Also, if you were taught to do it the $formvar way in the past year or so,
> you should find the person who taught you and tweak their nose.
> 
> miguel
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Miguel Cruz

On Mon, 22 Apr 2002, Leif K-Brooks wrote:
> I use $formvar for form processing, I don't use the arrays.  This is how I
> was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
> gone!  What am I supposed to do?!

Fix them! This direction was first announced in 4Q1999; 2.5 years ought to 
be enough preparation time.

This change improves your security, so it'd be rational to be happy about 
it.

In any case, you can probably override it for your web space with a 
.htaccess directive, should you want to persist in your resistance to 
positive change.

Also, if you were taught to do it the $formvar way in the past year or so, 
you should find the person who taught you and tweak their nose.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Rodolfo Gonzalez

On Mon, 22 Apr 2002, Leif K-Brooks wrote:
> The only problem with that is that I have at least 50 scripts that are using
> the old thing!

You could auto_prepend the file which has the code for "backwards 
compatibility" of the variables.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Rasmus Lerdorf

Also see extract() and import_request_variables()

Although, an upgrade to PHP 4.2.0 is not going to automatically disable
register_globals.  Upgrading PHP does not overwrite the existing php.ini
file, so unless you ISP specifically changes this php.ini setting, nothing
will change.

-Rasmus

On Mon, 22 Apr 2002, Alok K. Dhir wrote:

> Change your scripts.  It's relatively easy to cause variables in the
> superglobal arrays to be set in the global namespace.  Code samples for
> this appear in various places in the the user contributed notes in the
> PHP documentation.
>
> A quick and dirty working example:
>
> foreach (array_merge($_POST,$_GET) as $key=>$val) {
>   global $$key;
>   $$key=$val;
> }
>
> If you include the above at the top of all your existing scripts, they
> should continue to function.
>
> As always, caveat emptor...
>
> Alok
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED].
> > net] On Behalf Of Leif K-Brooks
> > Sent: Monday, April 22, 2002 5:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP] The so-called improvment in PHP 4.2.0
> >
> >
> > I use $formvar for form processing, I don't use the arrays.
> > This is how I was taught to do it.  If my host upgrades to
> > 4.2.0, my website is as good as gone!  What am I supposed to do?!
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Leif K-Brooks

The only problem with that is that I have at least 50 scripts that are using
the old thing!
on 4/22/02 5:14 PM, Adam Voigt at [EMAIL PROTECTED] wrote:

Umm, use $_POST or $_GET or $_REQUEST from now on.

Adam Voigt
[EMAIL PROTECTED]




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Eugene Lee

On Mon, Apr 22, 2002 at 05:10:34PM -0400, Leif K-Brooks wrote:
: 
: I use $formvar for form processing, I don't use the arrays.  This is how I
: was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
: gone!  What am I supposed to do?!

Learn the new method.  Or RTFM.

http://www.php.net/manual/en/html/language.variables.predefined.html


-- 
Eugene Lee
[EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Alok K. Dhir

Change your scripts.  It's relatively easy to cause variables in the
superglobal arrays to be set in the global namespace.  Code samples for
this appear in various places in the the user contributed notes in the
PHP documentation.

A quick and dirty working example:

foreach (array_merge($_POST,$_GET) as $key=>$val) {
global $$key;
$$key=$val;
}

If you include the above at the top of all your existing scripts, they
should continue to function.

As always, caveat emptor...

Alok

> -Original Message-
> From: 
> [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED].
> net] On Behalf Of Leif K-Brooks
> Sent: Monday, April 22, 2002 5:11 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] The so-called improvment in PHP 4.2.0
> 
> 
> I use $formvar for form processing, I don't use the arrays.  
> This is how I was taught to do it.  If my host upgrades to 
> 4.2.0, my website is as good as gone!  What am I supposed to do?!
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] The so-called improvment in PHP 4.2.0

2002-04-22 Thread Adam Voigt

Umm, use $_POST or $_GET or $_REQUEST from now on.

Adam Voigt
[EMAIL PROTECTED]

On Mon, 22 Apr 2002 17:10:34 -0400, Leif K-Brooks <[EMAIL PROTECTED]> wrote:
> I use $formvar for form processing, I don't use the arrays.  This is how I
> was taught to do it.  If my host upgrades to 4.2.0, my website is as good as
> gone!  What am I supposed to do?!
> 
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php