Register Globals !

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Nel
    #1

    Register Globals !

    I have a question related to the "security" issues posed by Globals ON.

    It is good programming technique IMO to initialise variables, even if it's
    just
    $foo = 0;
    $bar = "";

    Surely it would be better to promote better programming than rely on PHP to
    compensate for lazy programming?

    Of does turning RG off have some other benefit of which I am not aware?

    Nel


    --
    DISCLAIMER: There is an extremely small but nonzero chance that,
    through a process known as "Tunnelling ", this e-mail may spontaneously
    disappear from its present location and reappear at any random place in the
    Universe, including your neighbour's domicile. The sender will not be
    responsible for any damages or inconvenience that may result.


    Tags: None
    • Toni Schornboeck
      #2
      Re: Register Globals !

      Nel wrote:[color=blue]
      > I have a question related to the "security" issues posed by Globals ON.
      >
      > It is good programming technique IMO to initialise variables, even if it's
      > just
      > $foo = 0;
      > $bar = "";
      >
      > Surely it would be better to promote better programming than rely on PHP to
      > compensate for lazy programming?[/color]

      yes, that's right.
      If you program strict and in a good style register globals won't harm
      you. But what if you once forget to initialize a variable? Register
      Globals is not a real security hole, but some programmer may forget an
      initialization (for instance when many programmer work on that project).
      [color=blue]
      >
      > Of does turning RG off have some other benefit of which I am not aware?[/color]

      yes: global variables are bad.
      why would one use them? because it is easy to work with global variables.

      If register globals is Off you are more likely to use less global variables.

      for instance:
      you use in a script (not in a function, in global namespace) a variable
      called $site, and some months later an other programmer invent a new
      feature to display a table over more than one site -> he invents a GET
      param called $site to know which site actually is displayed -> you
      overwrite with your $site his GET $site and now you're in trouble.

      because PHP doesn't provide namespaces it is important to seperate the
      different 'namespaces'. $_GET has nothing to do with the global
      namespace (of course it has, but it's kind of child of $GLOBALS - so
      this is how you should use it)

        Comment

        Previous template Next
        Working...