On Mon, 15 Aug 2005, Zeev Suraski wrote:
> At 20:52 14/08/2005, Rasmus Lerdorf wrote:
> >Zeev Suraski wrote:
> > > If we are to do anything about register_globals, perhaps we can change
> > > the name of the directive to something else (e.g. unprotected_globals),
> > > and of course keep its default 0. Admins will have to make an informed
> > > decision to turn it on again, and we can speak against it as strongly as
> > > we want in an upgrade guide.
> >
> >I think that would be a really bad idea. Code that tries to be portable
> >and uses ini_get('register_globals') would now be lying to us? Or do we
> >add unprotected_globals as an alias? So instead of getting rid of it,
> >we now have two directives that mean the same thing?
>
> While that can easily be solved (making register_globals a read only alias of
> unprotected_globals), I'm not sold on this idea, although it does the same job
> as userland solution.
I think changing register_globals to a different name is a silly idea.
You're only making things harder here. Perhaps you forgot that Rasmus
was always advocating that register globals is a good thing, but now he
actually wants to get rid of it after he saw the enourmous amounts of
problems it caused regarding the security of our users' webapps. Not
supporting him here in getting rid of this extremely (off-by default)
horrid feature is definitely the way forward.
Derick
--
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
