"Zeev Suraski" <[EMAIL PROTECTED]> wrote in message
5.1.0.14.2.20010725181631.0690eff8@localhost">news:5.1.0.14.2.20010725181631.0690eff8@localhost...
> As I said, it's easy, but it is considerably less easy than it is to add
> GET variables. Let alone the fact that we're also dealing with SERVER and
> ENV vars, which cannot be injected at all. How about people who check
> server variables, such as HTTPS, using isset()? register_globals *is* evil.
I think register_globals should be set to off for all PHP users. $HTTP_*_VARS
are easy enough to access variables. (I would like to see $__POST, $__GET, etc
soon, though)
Users tends to use "php.ini-dist", since install manual/instruction says "copy
php.ini-dist to php.ini". How about provide a "php.ini-recommended" with
appropriate comments in next rerelase?
Yasuo Ohgaki
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
