On Tue, 2003-06-17 at 01:20, DvDmanDT wrote: > Because if you are reading a book, and want to try the samples, chances are > quite big you want to try it exactly bit by bit, not modifying it on your > own... And even more, if you get like a CD or something, it must feel VERY > bad to have to rewrite it all...
Agreed. But register_globals has been default to "off" since PHP 4.2.0, which was released in April 2002. There sure must be PHP books that have been published since then that don't rely on this semantics? > Now, which part was depricated? Writing code which presumes that register_globals = on. You see, at some time, the register_globals directive might be dropped altogether and the feature will not be there any more. Yes, you might be able to work around it by writing your own register_globals() function, but wouldn't it be better to fix the code instead? My rationale is pretty simple: register_globals has been disabled for good reasons. You can read more about it at http://www.php.net/manual/en/security.registerglobals.php > And in php.ini-dist, error_reporting is set to all but notices by default.. This is probably because there is so much bad code out there, that generates tons of notices. In a development environment, regardless of the programming language, be it PHP, C, C++, Java or something different, I am very strongly in favor of all warnings being turned on. This is because it will help you so much, avoiding common pitfalls. For example, if notices are turned off, and you somewhere in a 25000 line class misspell a variable, how would you know? The code wouldn't work, and it would take a while to debug it to find where the error is. With notices enabled, this error would be spotted immediately. So, the conclusion: having notices turned on when developing PHP is strongly encouraged, because: 1) it will make the code better. 2) it will help you in the development. > Register_globals are however bad, I'll agree to that... But still, all hosts > I know of has it enabled and besides, why not? The reason many hosts has it enabled is because there are so many scrips that rely heavily on it being enabled. > I'm probably missing something, but what is the insecure part of > register_globals? See the link I posted above. > I mean, for the scripts that needs security, you can use $_POST and $_SESSION > and so on, but for things like "Enter two numbers to see which one is biggest", > it feels quite silly to disable it... With all due respect, I believe this to be the big flaw in your reasoning. "for the scripts that needs security" -- that says it all. Now, I totally agree that there might actually be scripts that *don't* need any NASA level of security, but still, the thinking is flawed, because code changes. Your little "enter two numbers" script might end up being used in a completely different environment to what you thought. And *in that environment*, security might be highly important. Let me give another example, that will show you what I mean. Microsoft developed Windows as a 16-bit extension to DOS, with some fluffy GUI features. This was in the 80:s. Then, they worked on it and changed bits and pieces here and there, and suddenly the Internet started becoming popular, so a company developed a program called Trumpet Winsock that would let you connect to the Internet. Fantastic! But hey, what about security? Windows was never designed to be used in this kind of environment, but still, it didn't matter too much since it was mostly used with dialup connections. Then, the development continued and in September 1994 (if I'm not mistaken) Windows 95 was released. It was a revolution to the Windows users. There were so many improvements to the old Windows 3.1 and 3.11 systems that they are too many to be mentioned here. One of the things that was changed was that TCP/IP was now integrated in the main system, shipped with the standard version. Still, the system had not been redesigned; it was still a single-user system, where Internet connectivity was simply a "plug-in" and not something that the system was designed for (such as is the case with Unix which was designed with multi-user and network in mind). This could clearly be seen with all the security problems that appeared, in the Internet Explorer browser for example, and in the IIS/PWS web servers. And now, today, many people are connected to the Internet using broadband connections, where their machines are accessible through the Internet all day long. Using an operating system that was never designed for this kind of environment. Oh, how I wish that Microsoft would just have "set register_globals = off" at some time in the past... (I hope you understand the analogy) -- Best regards, Per Lundberg / Capio ApS Phone: +46-18-4186040 Fax: +46-18-4186049 Web: http://www.nobolt.com
signature.asc
Description: This is a digitally signed message part
