Posted by John Nichel on 09/14/05 18:07

Jay Blanchard wrote:
> [snip]
> I would be very worried about the quality of any reply that posts a link
> that says the opposite of what the person is saying. Nowhere in that link
> did I see them say that turning on the globals was a security issue. The
> page said the misuse of the globals was the security risk due to forgetting
> to initialize variables and then goes on to show examples of the issue risks
>
> if the globals aren't properly initialized. The security issues fall on the
> web designer not the ISP or PHP, ISP and PHP doesn't control if I forget to
> initialize something in my PHP scripts. The first two paragraphs even state
> that it is a web designer's problem (not in so many words though).
> [/snip]
>
>
> At the risk of starting another globals holy war, the reply that you

Trouble maker.

> received was a generalization that reflects the potential (<---- NOTE THAT)
> security risks from having register globals 'on'. The poster was essentially
> correct, misuse of globals opens up a whole can of potential security
> issues. I will refer you to several good PHP security resources at
> http://www.shiflett.org

At the risk of inflating Chris' ego, I second that referal. ;)

--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
john@kegworks.com

[Back to original message]