FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Shocking amount of PHP security holes?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Shocking amount of PHP security holes? [message #171125 is a reply to message #171124] Sat, 25 December 2010 23:35 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 12/25/2010 5:38 PM, Twayne wrote:
> In news:5vn7h6l9g83o4fqplm3uttg7l1bvt3uhap(at)mfesser(dot)de,
> Michael Fesser<netizen(at)gmx(dot)de> typed:
>> .oO(Ignoramus30015)
>>
>>> On 2010-12-23, ?lvaro G. Vicario
>>> <alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>>>>
>>>> It was a wrong design decision taken by the PHP team many
>>>> years ago. In earlier versions PHP would automatically
>>>> create variables from several input sources so you could
>>>> code<input type="text" name="email"> and automatically
>>>> get user data available at $email. After that, the web
>>>> evolved, security become a concern and this feature was
>>>> (kind of) disabled.
>>>
>>> Thanks. Is there a way to for sure disable it, across the
>>> board, for
>>> all PHP programs?
>>
>> The keyword is 'register_globals'. Make sure that it's
>> disabled.
>>
>> Micha
>
> But beware, that adds very little to security. Read your php.ini for
> information about "register_globals".
> In fact, spend a little time reading the php.ini file, period.
> "Sanitizing data" and "data verification" would likely be two good search
> terms for you for PHP. Also "php manual" with or without the quotes.
>
> HTH,
>
> Twayne`
>
>

On the contrary, it significantly enhances security, as those who really
understand PHP know.

I agree it doesn't replace proper validation of incoming data. But to
say it adds very little to security is a HUGE misstatement.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP
Next Topic: PHP WEBSITE DEVELOPER REQUIRED
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 01:59:19 GMT 2024

Total time taken to generate the page: 0.05228 seconds