--- Paul Chvostek <[EMAIL PROTECTED]> wrote: > I've got this new server running with folks from all over > uploading PHP code. I don't know all the folks, so I've > turned on safe_mode, set an open_basedir to each user's > documentroot, and left register_globals at its default. > > And now I'm getting scads of requests to turn on > register_globals from folks who want to run php-nuke and > some other established packages that rely on it.
First, your instincts are good, and register_globals is best left off. However, that is the developer in me speaking. >From an administrator's perspective, it really doesn't matter. Turning it on won't allow your users (who are themselves developers) to do anything more malicious than leaving it off would; it doesn't give them more power or privilege. In fact, since register_globals is no magic cure, it won't even necessarily make the applications that they run and/or develop any more secure. They could develop an application just as insecure with register_globals off, and it really only affects their application and their users for the most part anyway. So, I would turn it on if I were in your situation, or rather, I would allow them to override the default settings via a .htaccess file (assuming Apache). Hope that helps. Chris ===== Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
