NYCPHP Meetup

[Chris Shiflett]

--- David Mintz <dmintz at panix.com> wrote:
> I seem to recall in ancient times (4 years ago?) reading PHP
> tutorials online that said, in substance, PHP is just great because
> if you have a form element named "foo", then when the form is
> submitted you automatically get its value available to you in $foo,
> isn't that the coolest?

Yes, that was the coolest. :-)

It all has to do with perspective. If you go back five years ago or more, most
people using PHP also have experience working with CGIs written in C or
something like that. These people know *exactly* where and how they are getting
data from the client. In fact, they know all too well and are wanting to get
rid of some of the hassle. PHP takes away the hassle, freeing developers to
focus on the business logic. This is very nice, but it is only nice because the
developers are already experienced. They understand what PHP is doing for them.

Now we have people who learn Web development with PHP. They have no previous
experience. This is where the "problem" originates. PHP makes things so easy
that it abstracts many of the details from you. The result is that developers
have no idea where data is coming from or how. What makes this worse is that
these developers often don't care. Security vulnerabilities spread like the
plague...

So, the PHP development team decides to make register_globals disabled by
default. This won't solve these security vulnerabilities, but it does force
developers to understand where data comes from and can save them from a few
common errors. Now the problem is that php-general gets several questions a
week that boil down to the same thing - register_globals is disabled, and the
developer asking the question doesn't understand why $foo is empty.
Unfortunately, a lot of people get tired of answering this same question (or
begging the one asking the question to search the archives, where the question
has been answered in great detail) and instruct the developer to enable
register_globals. Of course, the types of people asking this question are
exactly the ones who need to leave register_globals disabled and crank up their
error reporting to the highest level. Security vulnerabilities continue to
spread like the plague...

That's a very abbreviated history from my perspective. Hopefully the next
chapter will be better. :-)

I should also mention that I develop with register_globals disabled, and I do
not mean to suggest that experienced developers are immune from errors. I only
mean to point out that the major problem with register_globals is a result of a
new generation (Internet time moves quickly, you know) of developers who begin
with PHP.

Chris

=====
My Blog
     http://shiflett.org/
HTTP Developer's Handbook
     http://httphandbook.org/
RAMP Training Courses
     http://www.nyphp.org/ramp