|
|
Posted by Al Kolff on 07/30/05 23:55
"Geoff Berrow" <blthecat@ckdog.co.uk> wrote in message
news:t0nme195d62jj9h5ida2ghadg32olrapbd@4ax.com...
> I noticed that Message-ID: <XMadnSh0Gsh7ZXffRVn-qg@comcast.com> from
> Jerry Stuckle contained the following:
>
> >
> >You'd be much better to fix the problem than hide it. Then fix the major
> >security problem cause by register_globals being on.
>
>
> You know, I've been coming at this the wrong way for ages. Until now
> I've been coding to allow for the fact that register_globals might be
> off. While this is correct, I now realise that the most important thing
> is to code on the assumption that they /might be on/ which they often
> will be on production servers.
>
> Simply turning register_globals off on your development server won't
> make your scripts secure. In fact, I think too much is made of this.
> register globals has been made out to be the bad guy for so long that
> people are forgetting why.
>
> If all variables are defined within the script what is so wrong with it?
> --
> Geoff Berrow (put thecat out to email)
> It's only Usenet, no one dies.
> My opinions, not the committee's, mine.
> Simple RFDs http://www.ckdog.co.uk/rfdmaker/
It flat out broke when I turned globals on, but still refused to start
working again when globals were turned back off. (Yes I did reboot between
each). But, the blank line in an include is highly possible. There have been
no problems on my production server.
All the variables are defined within the script or read from mysql except:
(Your absolutely right about that solving many problems)
$MySqlHostname = "localhost";
$MySqlUsername = "xxxxxx";
$MySqlPassword = "xxxxxx";
$MySqlDatabase = "xxxxxxx";
which are defined in config.php which then is included in the various php
pages. I store the rest in the xxxxxxx msql database and read them as
needed.
Thanks for the suggestions
God Bless,
al
Navigation:
[Reply to this message]
|