This is only my stubborn opinion... I would turn it on for now with a warning that it will be turned off soon...
I work for a company which is strictly Microsoft/Domino Technology and until I arrived, many have not heard of PHP and for the few that did, well let's just say that sloppy, unstable, and inconsistent code which they have seen has made is hard for me to get an opportunity to display what PHP can do... Fortunately, I now have the opportunity and discussions are reduced to the basic google searches... php vs. asp/jsp/lotus script. So in summary, try to push for some form of coding standard, it might help PHP in the long run. -----Original Message----- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:22 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] How unsafe is register_globals? --- Paul Chvostek <[EMAIL PROTECTED]> wrote: > I've got this new server running with folks from all over > uploading PHP code. I don't know all the folks, so I've > turned on safe_mode, set an open_basedir to each user's > documentroot, and left register_globals at its default. > > And now I'm getting scads of requests to turn on > register_globals from folks who want to run php-nuke and > some other established packages that rely on it. First, your instincts are good, and register_globals is best left off. However, that is the developer in me speaking. >From an administrator's perspective, it really doesn't matter. Turning it on won't allow your users (who are themselves developers) to do anything more malicious than leaving it off would; it doesn't give them more power or privilege. In fact, since register_globals is no magic cure, it won't even necessarily make the applications that they run and/or develop any more secure. They could develop an application just as insecure with register_globals off, and it really only affects their application and their users for the most part anyway. So, I would turn it on if I were in your situation, or rather, I would allow them to override the default settings via a .htaccess file (assuming Apache). Hope that helps. Chris ===== Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
