> I notice the INSTALL file in 4.2.2 mentions that people "should write > their scripts to work with this [register_globals] turned off". Based > on what I've mentioned below, what can I do to conform to this statement > made by the PHP authors? From what I know about programming, I am > setting globals where appropriate already.. but apparently I am > incorrect, since upgrading to 4.2.2 broke all my stuff unless I turn > [register_globals] on. Any suggestions?
Keeping register_globals OFF simply gives you the opportunity to make less mistakes in your code. When you have a link like http://www.example.com/page.php?ID=1, reg_globals ON will create a variable $ID that you can use in your script. The problem is, you don't know if it came from the URL, a POSTed form, a COOKIE, or what. The second problem is that if I use the variable $blah somewhere in my script, a malicious user could pass a value of $blah through the URL, POST, or COOKIE, and create problems in my code. With reg_globals OFF, you have to access the variables in the $_GET, $_POST, $_COOKIE, etc, arrays. $_GET['ID'] for the example above, tells you for sure that the value came from the URL. Also, if I make a variable $blah somewhere in my script, I know that the user can't affect it's value at all, even by passing ?blah=foo in the URL. So basically you should begin using the superglobal arrays $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER, and $_SESSION in your scripts... HTH! ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
