| Re: Shocking amount of PHP security holes? [message #171151 is a reply to message #171146] |
Tue, 28 December 2010 11:32   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
Twayne wrote:
> In news:if5v4b$a2p$1(at)news(dot)eternal-september(dot)org,
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> typed:
>> On 12/25/2010 5:38 PM, Twayne wrote:
>>> In news:5vn7h6l9g83o4fqplm3uttg7l1bvt3uhap(at)mfesser(dot)de,
>>> Michael Fesser<netizen(at)gmx(dot)de> typed:
>>>> .oO(Ignoramus30015)
>>>>
>>>> > On 2010-12-23, ?lvaro G. Vicario
>>>> > <alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>>>> >> It was a wrong design decision taken by the PHP team
>>>> >> many years ago. In earlier versions PHP would
>>>> >> automatically create variables from several input
>>>> >> sources so you could code<input type="text"
>>>> >> name="email"> and automatically get user data
>>>> >> available at $email. After that, the web evolved,
>>>> >> security become a concern and this feature was (kind
>>>> >> of) disabled.
>>>> > Thanks. Is there a way to for sure disable it, across the
>>>> > board, for
>>>> > all PHP programs?
>>>> The keyword is 'register_globals'. Make sure that it's
>>>> disabled.
>>>>
>>>> Micha
>>> But beware, that adds very little to security. Read your
>>> php.ini for information about "register_globals".
>>> In fact, spend a little time reading the php.ini file,
>>> period. "Sanitizing data" and "data verification"
>>> would likely be two good search terms for you for PHP.
>>> Also "php manual" with or without the quotes. HTH,
>>>
>>> Twayne`
>>>
>>>
>> On the contrary, it significantly enhances security, as
>> those who really understand PHP know.
>>
>> I agree it doesn't replace proper validation of incoming
>> data. But to say it adds very little to security is a HUGE
>> misstatement.
>
> You're opinion is wrong. When it can't perform one of the most important and
> basic security operations needed, it is doing little for security and leaves
> the gaping hole there for the many types of code injection et al that are
> possible.
> You're entitled to your opinion, such as it may be.
>
> So long troller.
>
>
which basically says, to anyone who actually understands what is being
discussed, that you are the one who is trolling, with almost no
knowledge of that whereof you speak.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]