[PHP] RE: [suspicious - maybe spam] [PHP] [suspicious - maybe spam] RE: Issues with News sites again...
[snip] I would be very worried about the quality of any reply that posts a link that says the opposite of what the person is saying. Nowhere in that link did I see them say that turning on the globals was a security issue. The page said the misuse of the globals was the security risk due to forgetting to initialize variables and then goes on to show examples of the issue risks if the globals aren't properly initialized. The security issues fall on the web designer not the ISP or PHP, ISP and PHP doesn't control if I forget to initialize something in my PHP scripts. The first two paragraphs even state that it is a web designer's problem (not in so many words though). [/snip] At the risk of starting another globals holy war, the reply that you received was a generalization that reflects the potential ( NOTE THAT) security risks from having register globals 'on'. The poster was essentially correct, misuse of globals opens up a whole can of potential security issues. I will refer you to several good PHP security resources at http://www.shiflett.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE: [suspicious - maybe spam] [PHP] [suspicious - maybe spam] RE: Issues with News sites again...
On Wed, September 14, 2005 9:46 am, Jay Blanchard wrote: At the risk of starting another globals holy war, the reply that you received was a generalization that reflects the potential ( NOTE THAT) security risks from having register globals 'on'. The poster was essentially correct, misuse of globals opens up a whole can of potential security issues. I will refer you to several good PHP security resources at http://www.shiflett.org I was frankly rather pissed when register_globals went off *I* do not have any uninitialized variables anywhere in any scripts on any site I ever built. Period. Upon reflection, though... In the unlikely event that I break down and give in to client demands to install some lame-ass bulletin board with all its *other* security holes, it's pretty much guaranteed their crappy PHP code ALSO has a zillion uninitialized variables. Even phpLIB, which sort of morphed into PEAR (???) used to have a bunch of uninitialized member variables. It wouldn't even run on my server since I had E_ALL cranked up. Their first patch for that was to just change my warnings dynamically. Then not change them BACK at the end of their code. Blech. Sure, I'd LIKE to educate every PHP scripter to never use an uninitialized variable. And I'd LOVE to change the default error_reporting in php.ini to E_ALL. But neither of those is likely to happen, and the best band-aid we can muster is register_globals off That said, the real culprits, as far as I can tell, are just doing extract($_POST), at which point they might as well have just left register_globals on anyway... register_globals off is a band-aid. How the PHP community can fix this problem for real is not something to be figured out in a 10-minute PHP-General discussion. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[suspicious - maybe spam] [PHP] [suspicious - maybe spam] Re: [PHP] RE: [suspicious - maybe spam] [PHP] [suspicious - maybe spam] RE: Issues with News sites again...
Just for the record. I'm a professional C++ programmer and I know to initialize variables before I use them. Secondly, I've taken into account what has been said but all I keep seeing is guys saying that not initializing the variables opens up security issues. Which is just agreeing with what the site is basically saying that the only security issues would be introduced by the script creator. Lastly, I addressed this issue with my ISP and they already have security measures in place for anything that could come about from bad PHP scripts. --Death Gauge How do you gauge your death?! Original Message Follows From: Richard Lynch [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jay Blanchard [EMAIL PROTECTED] CC: 'Death Gauge' [EMAIL PROTECTED], php-general@lists.php.net Subject: Re: [PHP] RE: [suspicious - maybe spam] [PHP] [suspicious - maybe spam] RE: Issues with News sites again... Date: Wed, 14 Sep 2005 10:40:34 -0500 (CDT) On Wed, September 14, 2005 9:46 am, Jay Blanchard wrote: At the risk of starting another globals holy war, the reply that you received was a generalization that reflects the potential ( NOTE THAT) security risks from having register globals 'on'. The poster was essentially correct, misuse of globals opens up a whole can of potential security issues. I will refer you to several good PHP security resources at http://www.shiflett.org I was frankly rather pissed when register_globals went off *I* do not have any uninitialized variables anywhere in any scripts on any site I ever built. Period. Upon reflection, though... In the unlikely event that I break down and give in to client demands to install some lame-ass bulletin board with all its *other* security holes, it's pretty much guaranteed their crappy PHP code ALSO has a zillion uninitialized variables. Even phpLIB, which sort of morphed into PEAR (???) used to have a bunch of uninitialized member variables. It wouldn't even run on my server since I had E_ALL cranked up. Their first patch for that was to just change my warnings dynamically. Then not change them BACK at the end of their code. Blech. Sure, I'd LIKE to educate every PHP scripter to never use an uninitialized variable. And I'd LOVE to change the default error_reporting in php.ini to E_ALL. But neither of those is likely to happen, and the best band-aid we can muster is register_globals off That said, the real culprits, as far as I can tell, are just doing extract($_POST), at which point they might as well have just left register_globals on anyway... register_globals off is a band-aid. How the PHP community can fix this problem for real is not something to be figured out in a 10-minute PHP-General discussion. -- Like Music? http://l-i-e.com/artists.htm _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
