ID: 15969 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Bogus Bug Type: Feature/Change Request Operating System: Linux PHP Version: 4.1.2 New Comment:
See also: import_request_variables() and extract() for ways to deal with this issue. Previous Comments: ------------------------------------------------------------------------ [2002-03-09 13:22:58] [EMAIL PROTECTED] I think maybe one of us is missing the point (and it's probably me!). php.ini-recommended says: "Note that register_globals is going to be depracated (sic)(i.e., turned off by default) in the next version of PHP, because it often leads to security bugs." I take this to mean that register_globals will off permanently and cannot be turned back on, even in the INI. But if it means that it will default to OFF but can still be turned ON in the INI, then I have no complaint. This would protect the novice but allow those who understand the implications to turn it on. Although the latter doesn't sound to be any more than how the distribution INIs are written. My issue is not the wisdom of having it ON or OFF, just the wisdom of taking away the option of choosing from the PHP system administrator. Avaliability of functions like that suggested by sniper are fine, but would still take a huge effort to change all the code and the potential is high for breaking any part of it by missing one place to add the function. You comments and thoughts are appreciated. Colin ------------------------------------------------------------------------ [2002-03-09 08:49:13] [EMAIL PROTECTED] As of PHP 4.1.0 there is this function: http://www.php.net/manual/en/function.import-request-variables.php ------------------------------------------------------------------------ [2002-03-09 03:01:27] [EMAIL PROTECTED] Open a dialog about a discussion which relaxes PHP's security badly? Of course it IS the developers fault who are NOT aware of the implications when using register_globals on. There is nothing else the PHP Team can to then make serious default setting of those developers are not able to understand what they are doing. And for you, it's changing one line in the INIs so what? If it's your ISP who decides to let this be disabled by default that it's a good ISP. If that's what you complain about, complain at your ISP (who, honestly, should not relax this feature). ------------------------------------------------------------------------ [2002-03-08 23:33:46] [EMAIL PROTECTED] We love PHP and our business relies upon it. I want to lobby for NOT deprecating register_globals in future releases. This will break a huge amount of code we have written and involve a major effort in repairing it, if register_globals is permanently set to NO. I thoroughly agree with all your security issues and any new code should be written on the assumption that it is set to NO. But ultimately it should be left to the user to decide whether or not to enable it, not have it dictated to him. All this IMHO, but I hope you will open a dialog to see how others feel about it. Thanks, Colin PS. I realize this is not a bug but couldn't find a better place on the web site to express my opinion. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=15969&edit=1
