Since the days of PHP3 we've used registered global variables in our PHP
scripts. Of course, most of our development is still in PHP3 land so that
hasn't changed much..
Now though, more development will happen on a PHP4 box and I'm interested in
turning off "register globals".
A quick Google search[1] found an interview with Rasmus[2] who disagreed with
turning them off, as "It adds very little to the overall security of an
application." but reading the manual page[3] it makes logical sense to me to
break up where your variables come from.
The downside is you're restricted somewhat in tricks you can play to get over
the limitations of the browser (logging into a remote server via an invisible
image springs to mind. If the remote server expects POST variables, the login
script would have to copy the GET variables into the POST array.)
So, has anyone turned "register globals" off and lived to tell the tale? And
if so, is it worth the hassle?
[1] http://www.google.com/search?q=php+register+globals+off+why
[2] http://www.webmasterbase.com/article/767/41
[3] http://www.zend.com/manual/security.registerglobals.php
Donncha.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
