By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,963 Members | 1,778 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,963 IT Pros & Developers. It's quick & easy.

Register Globals !

P: n/a
Nel
I have a question related to the "security" issues posed by Globals ON.

It is good programming technique IMO to initialise variables, even if it's
just
$foo = 0;
$bar = "";

Surely it would be better to promote better programming than rely on PHP to
compensate for lazy programming?

Of does turning RG off have some other benefit of which I am not aware?

Nel
--
DISCLAIMER: There is an extremely small but nonzero chance that,
through a process known as "Tunnelling", this e-mail may spontaneously
disappear from its present location and reappear at any random place in the
Universe, including your neighbour's domicile. The sender will not be
responsible for any damages or inconvenience that may result.
Jul 16 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Nel wrote:
I have a question related to the "security" issues posed by Globals ON.

It is good programming technique IMO to initialise variables, even if it's
just
$foo = 0;
$bar = "";

Surely it would be better to promote better programming than rely on PHP to
compensate for lazy programming?
yes, that's right.
If you program strict and in a good style register globals won't harm
you. But what if you once forget to initialize a variable? Register
Globals is not a real security hole, but some programmer may forget an
initialization (for instance when many programmer work on that project).

Of does turning RG off have some other benefit of which I am not aware?


yes: global variables are bad.
why would one use them? because it is easy to work with global variables.

If register globals is Off you are more likely to use less global variables.

for instance:
you use in a script (not in a function, in global namespace) a variable
called $site, and some months later an other programmer invent a new
feature to display a table over more than one site -> he invents a GET
param called $site to know which site actually is displayed -> you
overwrite with your $site his GET $site and now you're in trouble.

because PHP doesn't provide namespaces it is important to seperate the
different 'namespaces'. $_GET has nothing to do with the global
namespace (of course it has, but it's kind of child of $GLOBALS - so
this is how you should use it)

Jul 16 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.