At 19:05 7/4/2001, sterling hughes wrote the following:
--------------------------------------------------------------
>On 03 Jul 2001 19:13:20 -0700, Rasmus Lerdorf wrote:
>> On 4 Jul 2001, sterling hughes wrote:
>> > Ah well, I'm guessing most people have already seen this, still, I
>> > couldn't help passing it along... There are some good points (nothing
>> > we haven't discussed before) and some pretty bad points as well.
>>
>> A lot of these are rather silly and are actually present in other
>> scripting languages when they are used in a web environment. Most of it
>> boils down to the fact that you cannot trust user data. The fact that
>> user data is easier to get at in PHP doesn't really change the model.
>> Making it harder to get the user data doesn't help if this data is still
>> not checked and used incorrectly once you do get it.
>>
>> But, I do think it would be worthwhile to go through these and add a
>> section to the documentation highlighting the pitfalls and explaining how
>> to avoid them.
>>
>
>I think the main point I agree with is that since many beginning users
>use PHP to implement there websites, PHP should be more secure than
>other languages, and have less places where the user can mess up. I
>think the security section to the documentation is a superb start,
>however, I also think that PHP5.0 since we are breaking language compat,
>perhaps we should turn off register_globals by default? I just see to
>many chances for fscking up things big time when using that
>functionality....
I think the comment in php.ini could stress the security threat more.
St. like "Setting this on is a huge security risk." in all-caps. Plus
it should mention that requiring register_globals on makes the code
non-portable.
[EMAIL PROTECTED]
-------------
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
