[Webdev] PHP - register globals = off, yes/no?
Donncha O Caoimh
donncha at tradesignals.com
Tue Jul 16 10:21:50 IST 2002
Since the days of PHP3 we've used registered global variables in our PHP
scripts. Of course, most of our development is still in PHP3 land so that
hasn't changed much..
Now though, more development will happen on a PHP4 box and I'm interested in
turning off "register globals".
A quick Google search[1] found an interview with Rasmus[2] who disagreed with
turning them off, as "It adds very little to the overall security of an
application." but reading the manual page[3] it makes logical sense to me to
break up where your variables come from.
The downside is you're restricted somewhat in tricks you can play to get over
the limitations of the browser (logging into a remote server via an invisible
image springs to mind. If the remote server expects POST variables, the login
script would have to copy the GET variables into the POST array.)
So, has anyone turned "register globals" off and lived to tell the tale? And
if so, is it worth the hassle?
[1] http://www.google.com/search?q=php+register+globals+off+why
[2] http://www.webmasterbase.com/article/767/41
[3] http://www.zend.com/manual/security.registerglobals.php
Donncha.
More information about the Webdev
mailing list