On 03 Jul 2001 19:13:20 -0700, Rasmus Lerdorf wrote:
> On 4 Jul 2001, sterling hughes wrote:
> > Ah well, I'm guessing most people have already seen this, still, I
> > couldn't help passing it along... There are some good points (nothing
> > we haven't discussed before) and some pretty bad points as well.
>
> A lot of these are rather silly and are actually present in other
> scripting languages when they are used in a web environment. Most of it
> boils down to the fact that you cannot trust user data. The fact that
> user data is easier to get at in PHP doesn't really change the model.
> Making it harder to get the user data doesn't help if this data is still
> not checked and used incorrectly once you do get it.
>
> But, I do think it would be worthwhile to go through these and add a
> section to the documentation highlighting the pitfalls and explaining how
> to avoid them.
>
I think the main point I agree with is that since many beginning users
use PHP to implement there websites, PHP should be more secure than
other languages, and have less places where the user can mess up. I
think the security section to the documentation is a superb start,
however, I also think that PHP5.0 since we are breaking language compat,
perhaps we should turn off register_globals by default? I just see to
many chances for fscking up things big time when using that
functionality....
-Sterling
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
