| Re: Shocking amount of PHP security holes? [message #171147 is a reply to message #171146] |
Tue, 28 December 2010 02:24   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 12/27/2010 8:46 PM, Twayne wrote:
> In news:if5v4b$a2p$1(at)news(dot)eternal-september(dot)org,
> Jerry Stuckle<jstucklex(at)attglobal(dot)net> typed:
>> On 12/25/2010 5:38 PM, Twayne wrote:
>>> In news:5vn7h6l9g83o4fqplm3uttg7l1bvt3uhap(at)mfesser(dot)de,
>>> Michael Fesser<netizen(at)gmx(dot)de> typed:
>>>> .oO(Ignoramus30015)
>>>>
>>>> > On 2010-12-23, ?lvaro G. Vicario
>>>> > <alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>>>> >>
>>>> >> It was a wrong design decision taken by the PHP team
>>>> >> many years ago. In earlier versions PHP would
>>>> >> automatically create variables from several input
>>>> >> sources so you could code<input type="text"
>>>> >> name="email"> and automatically get user data
>>>> >> available at $email. After that, the web evolved,
>>>> >> security become a concern and this feature was (kind
>>>> >> of) disabled.
>>>> >
>>>> > Thanks. Is there a way to for sure disable it, across the
>>>> > board, for
>>>> > all PHP programs?
>>>>
>>>> The keyword is 'register_globals'. Make sure that it's
>>>> disabled.
>>>>
>>>> Micha
>>>
>>> But beware, that adds very little to security. Read your
>>> php.ini for information about "register_globals".
>>> In fact, spend a little time reading the php.ini file,
>>> period. "Sanitizing data" and "data verification"
>>> would likely be two good search terms for you for PHP.
>>> Also "php manual" with or without the quotes. HTH,
>>>
>>> Twayne`
>>>
>>>
>>
>> On the contrary, it significantly enhances security, as
>> those who really understand PHP know.
>>
>> I agree it doesn't replace proper validation of incoming
>> data. But to say it adds very little to security is a HUGE
>> misstatement.
>
> You're opinion is wrong. When it can't perform one of the most important and
> basic security operations needed, it is doing little for security and leaves
> the gaping hole there for the many types of code injection et al that are
> possible.
> You're entitled to your opinion, such as it may be.
>
> So long troller.
>
>
And you're entitled to your own opinion, even though it's wrong, as it
usually is. If it were as you say, why would Zend spend the time and
money changing to code to get rid of it? And don't say it's a minor
matter - it really isn't.
And no one else here agrees with you. But then we all know you know
very little about security, troll.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]