RE: [phplib] stricting methods (was: [RFC] Future of phplib) From: Chris Johnson (chris <email protected>)
Date: 07/23/01

> -----Original Message-----
> From: ping <email protected> [mailto:ping <email protected>]On Behalf Of
> giancarlo pinerolo

> Kristian Koehntopp wrote:
>
> > All code is PHP4 only, and requires register_globals set to Off,
> > as should be standard in all installations anyway (unless you
> > want to lose your installation to some script kiddie fast).
>
> register_globals off will break $PHP_SELF everywhere at the moment...

Yes, it will break a lot of things. I use $DOCUMENT_ROOT all over the
place to do includes and require pathnames.

But when I started using PHP and then PHPLIB, I didn't understand the
full implication of having register_globals = On. It was the default,
and everything worked out of the box with it set that way. I knew I
could use things like $HTTP_SERVER_VARS["DOCUMENT_ROOT"] and
$HTTP_POST_VARS["myformvar1"], but that's a lot of typing, so I did not.

Now that I realize the security problem, I just turned off
register_globals. That means I have just bought myself a lot of work.
I have to go back and fix all of my pages to for globals like
DOCUMENT_ROOT and PHP_SELF, and my numerous forms with POST and GET
variables.

But that's life. I don't want my sites hacked.

PHP should *NOT* ship with register_globals set to Off. In fact, it
probably shouldn't even be an option, as the security problems are just
too great and too easy to have. 

-- 
Abbestellen mit Mail an:   phplib-unsubscribe <email protected>
Kommandoliste mit Mail an: phplib-help <email protected>