| Re: Shocking amount of PHP security holes? [message #171125 is a reply to message #171124] |
Sat, 25 December 2010 23:35   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 12/25/2010 5:38 PM, Twayne wrote:
> In news:5vn7h6l9g83o4fqplm3uttg7l1bvt3uhap(at)mfesser(dot)de,
> Michael Fesser<netizen(at)gmx(dot)de> typed:
>> .oO(Ignoramus30015)
>>
>>> On 2010-12-23, ?lvaro G. Vicario
>>> <alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>>>>
>>>> It was a wrong design decision taken by the PHP team many
>>>> years ago. In earlier versions PHP would automatically
>>>> create variables from several input sources so you could
>>>> code<input type="text" name="email"> and automatically
>>>> get user data available at $email. After that, the web
>>>> evolved, security become a concern and this feature was
>>>> (kind of) disabled.
>>>
>>> Thanks. Is there a way to for sure disable it, across the
>>> board, for
>>> all PHP programs?
>>
>> The keyword is 'register_globals'. Make sure that it's
>> disabled.
>>
>> Micha
>
> But beware, that adds very little to security. Read your php.ini for
> information about "register_globals".
> In fact, spend a little time reading the php.ini file, period.
> "Sanitizing data" and "data verification" would likely be two good search
> terms for you for PHP. Also "php manual" with or without the quotes.
>
> HTH,
>
> Twayne`
>
>
On the contrary, it significantly enhances security, as those who really
understand PHP know.
I agree it doesn't replace proper validation of incoming data. But to
say it adds very little to security is a HUGE misstatement.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]