On Tue, 2003-06-17 at 01:20, DvDmanDT wrote:
> Because if you are reading a book, and want to try the samples, chances are
> quite big you want to try it exactly bit by bit, not modifying it on your
> own... And even more, if you get like a CD or something, it must feel VERY
> bad to have to rewrite it all...

Agreed.  But register_globals has been default to "off" since PHP 4.2.0,
which was released in April 2002.  There sure must be PHP books that
have been published since then that don't rely on this semantics?

> Now, which part was depricated?

Writing code which presumes that register_globals = on.  You see, at
some time, the register_globals directive might be dropped altogether
and the feature will not be there any more.  Yes, you might be able to
work around it by writing your own register_globals() function, but
wouldn't it be better to fix the code instead?

My rationale is pretty simple: register_globals has been disabled for
good reasons.  You can read more about it at
http://www.php.net/manual/en/security.registerglobals.php

> And in php.ini-dist, error_reporting is set to all but notices by default..

This is probably because there is so much bad code out there, that
generates tons of notices.  In a development environment, regardless of
the programming language, be it PHP, C, C++, Java or something
different, I am very strongly in favor of all warnings being turned on. 
This is because it will help you so much, avoiding common pitfalls.  For
example, if notices are turned off, and you somewhere in a 25000 line
class misspell a variable, how would you know?  The code wouldn't work,
and it would take a while to debug it to find where the error is.  With
notices enabled, this error would be spotted immediately.

So, the conclusion: having notices turned on when developing PHP is
strongly encouraged, because: 1) it will make the code better.  2) it
will help you in the development.

> Register_globals are however bad, I'll agree to that... But still, all hosts
> I know of has it enabled and besides, why not?

The reason many hosts has it enabled is because there are so many scrips
that rely heavily on it being enabled.

> I'm probably missing something, but what is the insecure part of
> register_globals?

See the link I posted above.

> I mean, for the scripts that needs security, you can use $_POST and $_SESSION
> and so on, but for things like "Enter two numbers to see which one is biggest",
> it feels quite silly to disable it...

With all due respect, I believe this to be the big flaw in your
reasoning.  "for the scripts that needs security" -- that says it all. 
Now, I totally agree that there might actually be scripts that *don't*
need any NASA level of security, but still, the thinking is flawed,
because code changes.  Your little "enter two numbers" script might end
up being used in a completely different environment to what you
thought.  And *in that environment*, security might be highly important.

Let me give another example, that will show you what I mean.  Microsoft
developed Windows as a 16-bit extension to DOS, with some fluffy GUI
features.  This was in the 80:s.  Then, they worked on it and changed
bits and pieces here and there, and suddenly the Internet started
becoming popular, so a company developed a program called Trumpet
Winsock that would let you connect to the Internet.  Fantastic!  But
hey, what about security?  Windows was never designed to be used in this
kind of environment, but still, it didn't matter too much since it was
mostly used with dialup connections.

Then, the development continued and in September 1994 (if I'm not
mistaken) Windows 95 was released.  It was a revolution to the Windows
users.  There were so many improvements to the old Windows 3.1 and 3.11
systems that they are too many to be mentioned here.  One of the things
that was changed was that TCP/IP was now integrated in the main system,
shipped with the standard version.  Still, the system had not been
redesigned; it was still a single-user system, where Internet
connectivity was simply a "plug-in" and not something that the system
was designed for (such as is the case with Unix which was designed with
multi-user and network in mind).  This could clearly be seen with all
the security problems that appeared, in the Internet Explorer browser
for example, and in the IIS/PWS web servers.

And now, today, many people are connected to the Internet using
broadband connections, where their machines are accessible through the
Internet all day long.  Using an operating system that was never
designed for this kind of environment.  Oh, how I wish that Microsoft
would just have "set register_globals = off" at some time in the
past...  (I hope you understand the analogy)
--
Best regards,

Per Lundberg / Capio ApS
Phone: +46-18-4186040
Fax: +46-18-4186049
Web: http://www.nobolt.com

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to