Armand Turpel wrote: > > > On Wed, 4 Jun 2003, Jay Blanchard wrote: > > > [snip] > > > Have register globals set to ON is one way of leaving your script open > > > to being exploitable. > > > [/snip] > > > > > > Please explain this, how does it make it more exploitable? I think that > > > this is only true if the code is sloppy. > > > > Correct, if you properly initialize your internal variables there is > > nothing insecure about leaving register_globals on. > > But how you know, if you have a few tausends of php code lines, which part > have some sloppy code. Nobody is perfect. In my opinion you should turn > register_globals to off if it's possible. It's much more secure.
I strongly disagree with that. Consider the following code (assuming $foo is 'external' variable): 1: if ($foo=='yes') transfer_money_to_me(); 2: if ($_GET['foo']=='yes']) transfer_money_to_me(); Why (2) is safer than (1)? Answer: It is *not*. As Rasmus has correctly pointed out, the usage of "register_globals=off" per se cannot be considered a security measure. If you don't initialize and/or check *all* user-supported variables, you're dead. It's as simple as that. Is it annoying? Maybe. Is it necessary? *yes* Anyway, IIRC the whole issue of register_globals started when some guy presented a paper named "A Study in Scarlet". A whole lot of issues where presented in that paper, which in my opinion, have been blown quite out of perspective. register_globals is one of them. Oh boy, this is starting to look like an urban myth : "-Hey do you know that register_globals=on is bad? - Really? -Yeah, and you know what? It allows the bad boys do eeeevil things". -Stathis. > > > > > -Rasmus > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
