NYCPHP Meetup

[Anthony Tanzola]

Fortunately I am not out any money, as this book was given to me by a
coworker. (Probably after my job!)

Thanks for all the input.

Anthony

>-----Original Message-----
>From: Hans Zaunere [mailto:hans at nyphp.org]
>Sent: Wednesday, May 07, 2003 2:30 PM
>To: NYPHP Talk
>Subject: Re: [nycphp-talk] Global settings in PHP
>
>
>
>Hi Anthony,
>
>--- Anthony Tanzola <anthony at emr.net> wrote:
>> Hey List!
>>
>> I am somewhat new to php, though not to web development.  I am attempting
>> to
>> send information from a web form to a php document.  I then want
>to create
>> session variables and have the ability to manipulate the session
>variables
>> as needed.
>>
>> The book I have use examples throughout that require the
>following setting
>> in the php.ini file:
>>
>> register_globals = On
>
>Hark!  Burn that book!
>
>Seriously though, I would not use that book to learn from.
>register_globals
>= On is a curse from the early days of PHP and needs to be eliminated, for
>several reasons.
>
>1) Security - a user can override variables in your script and
>cause absolute
>havoc very easily.
>
>2) Style - As I've said, register_globals has probably been the one setting
>that has hurt PHP's reputation as an 'Enterprise Solution.'
>Granted, I don't
>know what that means either, but it's not good programming style to use it.
>
>3) Compatibility - Modern version of PHP (since about 4.2.x I
>think) default
>to register_globals = Off.  As such, your scripts won't work with modern
>servers and any convienence you've found in using it now will be dwarfed by
>future dealings with your server administrator, other developers, users and
>the public in general.
>
>4) People will laugh at you!
>
>Sorry to be so harsh, but I feel very strongly about this one  :)
>
>> This elevates the need for $_POST["my_posted_data"] when
>retrieving posted
>> data.
>
>Absolutely, and the superglobals (ie $_POST, $_GET) make it a
>breeze.  Just a
>tip, though, unless there's a dollar sign (variable) inside the braces, use
>single quotes.  $_POST['my_posted_data'] is much faster.
>
>> Also it allows me to register session variables as such:
>>
>> session_register("variable_1", "variable_2", "variable_3", "variable_4",
>> "variable_5", "variable_6")
>>
>> as well as do other things with sessions.
>>
>> I am wondering what the pros and cons are of setting globals to "on".  It
>> seams to be a convenience, but are there any downsides or
>security issues?
>
>Yeah, basically all cons.  The only pro could be considered short-term
>convenience, but as I mentioned, you'll end up paying for it.
>
>H
>
>
>
>--- Unsubscribe at http://nyphp.org/list/ ---
>
>
>
>