Posted by Jay Blanchard on 09/14/05 17:46

[snip]
I would be very worried about the quality of any reply that posts a link
that says the opposite of what the person is saying. Nowhere in that link
did I see them say that turning on the globals was a security issue. The
page said the misuse of the globals was the security risk due to forgetting
to initialize variables and then goes on to show examples of the issue risks

if the globals aren't properly initialized. The security issues fall on the
web designer not the ISP or PHP, ISP and PHP doesn't control if I forget to
initialize something in my PHP scripts. The first two paragraphs even state
that it is a web designer's problem (not in so many words though).
[/snip]


At the risk of starting another globals holy war, the reply that you
received was a generalization that reflects the potential (<---- NOTE THAT)
security risks from having register globals 'on'. The poster was essentially
correct, misuse of globals opens up a whole can of potential security
issues. I will refer you to several good PHP security resources at
http://www.shiflett.org

[Back to original message]