On Wed, 4 Jun 2003, Jay Blanchard wrote: > [snip] > On Wed, 4 Jun 2003, Jay Blanchard wrote: > > [snip] > > Have register globals set to ON is one way of leaving your script open > > > to being exploitable. [/snip] > > > > Please explain this, how does it make it more exploitable? I think > > that this is only true if the code is sloppy. > > Correct, if you properly initialize your internal variables there is > nothing insecure about leaving register_globals on. > [/snip] > > Then why has there been such a big deal about register_globals security? > Is it because so much code is sloppy?
>From a robustness perspective, it is not a bad idea to be more explicit about where your user data is coming from and being able to easily distinguish user-oriented data from internal data. What has been blown a bit out of proportion is the idea that you cannot possibly write secure code with register_globals on. That is of course completely false, but you do have to be a little bit more careful which why the default was changed to error on the side of safety. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php