You could leave the setting to ON in your php.ini, and impose OFF on a per-directory (account, domain, etc) basis with a .htaccess file (or vice-versa), assuming you have Apache.
This will mean all new clients will have the setting to OFF, and will do things "the right way" from day 1. It will also allow existing clients to modify their setting to OFF (as I do on a shared server) to keep things a little more secure. You could also advise all existing clients of a planned changeover in 12 months, offer code advise (including a simple function at the top of each script can push all $_GET['var'], POST, SESSION, etc vars into standard $vars), and document the many security holes and benefits of upgrading over time. In 12 months, you can changeover to OFF in the php.ini file. At which time coding practices, books, websites, applications and all the rest will be much more inline than they are now. Justin French on 01/07/02 1:12 AM, PHPCoder ([EMAIL PROTECTED]) wrote: > Hi > Going through some literature, it seems like the use of registered > globals can cause security issues. Now, the dilemma, all my previous PHP > installations ( for the last year or so ) have come with register > globals = on in the php.ini file by default, and users on my system has > happily coded their websites using this function. > Now , with all the new versions of PHP, the registered globals are > turned off in the ini and will basically cause all those previous sites > not to function. Which means that I'm between a rock and a hard place, > turn the register globals back on and carry on with the security risks, > or keep it off and have all those people re-code their sites... > Is there a more "gentle" solution out there? Am I just misunderstanding > the issue? > Any light on the matter will be appreciated. > > Thanks > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
