Interesting View from the Creator of PHP

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Interesting View from the Creator of PHP

Post by JPlush76 »

here is a snippet from an article I read with the creator of PHP, Rasmus Lerdorf on REGISTER GLOBALS = OFF
SP: What are your views on Magic Quotes and Register Globals?

RL: Register Globals is one of the features that brought people to PHP. The simplicity of creating Web applications when form and other variables were automatically available could not be beaten.

I was personally not in favour of turning Register Globals off by default. It adds very little to the overall security of an application. If people do not check data coming from the user then with or without Register Globals enabled that application is going to be insecure.

The only time having Register Globals off helps is when you forget to initialize a variable before you use it and someone who knows your code exploits that. By changing the error reporting level you can have PHP find these cases for you automatically. So in the end, all I think turning Register Globals off has done is make writing PHP apps more complicated.

And it has of course also generated 10-20 questions/bug reports per day from users who are confused about this change.

http://www.webmasterbase.com/article/767
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Mmmm :?
OK, so he doesn't like the REGISTER GLOBALS being OFF. I first thought of that but I'm now use to use $_POST etc. But the problem with this is that in older versions of PHP you can't use it so... :roll:

It definitely confused me at first.
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

I found the server-side PHP scripting sounds interesting..
Image Image
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

do you mean client-side?
SP: What's been the most surprising or innovative use of PHP you've seen on the Internet?

RL: I keep seeing new and weird things, the latest being Wez Furlong's ActiveScript SAPI module, which lets you do client-side PHP like this: ....
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

errr, yes. I kept typo'ing. :P
Image Image
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Post by BDKR »

I agree with what Rasmus has to say, but even before 4.2 and the change from $HTTP_POST_VAR to _$POST, I had allready changed my personal standard to using the $HTTP_POST(or GET)_VARS array and found that it helps a lot from the viewpoint of uniformity.

Not saying that you have to be uniform!

Later on,
BDKR
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

Before PHP 4.2, was there a $HTTPS_GET/POST_VARS?

If not, that's probably why they made the move.
Image Image
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

I don't know... :oops: I probably think there was somethings similar or the same one.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

The $HTTP_xxx_VARS arrays have been around since version 3 IIRC. Lots of people didn't know they existed or didn't bother using them which is what I guess forced the change to register globals being off since there were probably loads of very insecure login scripts out there.

Mac
User avatar
mikeq
Forum Regular
Posts: 512
Joined: Fri May 03, 2002 3:33 am
Location: Edinburgh, Scotland

Post by mikeq »

So what is the best thing to do. Have them On or Off?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

I'd go for off. It won't make a lot of difference to the security of your code (you can still use $_REQUEST after all) but since register_globals has been deprecated it will be removed in a later version of PHP. At some point you won't be able to just edit the php.ini and turn it on so it's probably best to get used to life without it no matter what version of PHP you have.

Some hosts may leave it off too believing that it offers greater security as will many individuals running their own webservers, therefore code written that can only run with reg_globals on is not as portable as code written to work with it off hence the number of problems we see in the forum.

To conclude:
If you want to write code that'll work in a few years time and you want to be able to move your code to servers that may or may not have reg_globals turned on, turn it off.

Mac
User avatar
mikeq
Forum Regular
Posts: 512
Joined: Fri May 03, 2002 3:33 am
Location: Edinburgh, Scotland

Post by mikeq »

Thanks for the reply twigletmac :)
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Write for register_globals off of course, and not for the reason of portability. Using $_GET['username'] is much more telling than $username. Using these global variables make your code more readable, and make writing functions and classes that use them easier as well.
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

On sessions and other stuff....

Post by BDKR »


SP: Current 'session' variables use disk space (e.g. /tmp) which is no good for high-traffic sites. Are there plans to remedy this?


RL: Right from day one of the session support in PHP, we provided a shared memory backend session handler. Just set your handler to mm instead of files in php.ini. However, for high-traffic sites this is not the solution. The real solution is to load-balance the site across multiple servers.

Having session data in memory on a single machine doesn't solve anything. For this, you write yourself a session save handler and stick your session data into a central database of some sort. See http://php.net/ session_set_save_handler.
This is another thing that I agree with. The built in use of sessions using the /tmp directory is great and gets lots of people into the ball park rather quickly, but scaling upwards is obvioulsy a different story all together.

SP: What's been the most surprising or innovative use of PHP you've seen on the Internet?


RL: I keep seeing new and weird things, the latest being Wez Furlong's ActiveScript SAPI module, which lets you do client-side PHP like this:

Code: Select all

<html>
  ...
  <script language="ActivePHP">
    function clickit() &#123;
      $GLOBALS&#1111;"window"]->open("http://www.php.net");
    &#125;
  </script>
  ...
  <img src="..." onclick="clickit();" />
</html>
This is something that I'm surprised more people haven't mentioned. I was stunned! Does anyone care to comment on this? I want to make sure I'm understanding this correctly.

Cheers,
BDKR
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

I've never heard of ActivePHP
Post Reply