Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy. This forum is not for asking programming related questions.
here is a snippet from an article I read with the creator of PHP, Rasmus Lerdorf on REGISTER GLOBALS = OFF
SP: What are your views on Magic Quotes and Register Globals?
RL: Register Globals is one of the features that brought people to PHP. The simplicity of creating Web applications when form and other variables were automatically available could not be beaten.
I was personally not in favour of turning Register Globals off by default. It adds very little to the overall security of an application. If people do not check data coming from the user then with or without Register Globals enabled that application is going to be insecure.
The only time having Register Globals off helps is when you forget to initialize a variable before you use it and someone who knows your code exploits that. By changing the error reporting level you can have PHP find these cases for you automatically. So in the end, all I think turning Register Globals off has done is make writing PHP apps more complicated.
And it has of course also generated 10-20 questions/bug reports per day from users who are confused about this change.
Mmmm
OK, so he doesn't like the REGISTER GLOBALS being OFF. I first thought of that but I'm now use to use $_POST etc. But the problem with this is that in older versions of PHP you can't use it so...
I agree with what Rasmus has to say, but even before 4.2 and the change from $HTTP_POST_VAR to _$POST, I had allready changed my personal standard to using the $HTTP_POST(or GET)_VARS array and found that it helps a lot from the viewpoint of uniformity.
The $HTTP_xxx_VARS arrays have been around since version 3 IIRC. Lots of people didn't know they existed or didn't bother using them which is what I guess forced the change to register globals being off since there were probably loads of very insecure login scripts out there.
I'd go for off. It won't make a lot of difference to the security of your code (you can still use $_REQUEST after all) but since register_globals has been deprecated it will be removed in a later version of PHP. At some point you won't be able to just edit the php.ini and turn it on so it's probably best to get used to life without it no matter what version of PHP you have.
Some hosts may leave it off too believing that it offers greater security as will many individuals running their own webservers, therefore code written that can only run with reg_globals on is not as portable as code written to work with it off hence the number of problems we see in the forum.
To conclude:
If you want to write code that'll work in a few years time and you want to be able to move your code to servers that may or may not have reg_globals turned on, turn it off.
Write for register_globals off of course, and not for the reason of portability. Using $_GET['username'] is much more telling than $username. Using these global variables make your code more readable, and make writing functions and classes that use them easier as well.
SP: Current 'session' variables use disk space (e.g. /tmp) which is no good for high-traffic sites. Are there plans to remedy this?
RL: Right from day one of the session support in PHP, we provided a shared memory backend session handler. Just set your handler to mm instead of files in php.ini. However, for high-traffic sites this is not the solution. The real solution is to load-balance the site across multiple servers.
Having session data in memory on a single machine doesn't solve anything. For this, you write yourself a session save handler and stick your session data into a central database of some sort. See http://php.net/ session_set_save_handler.
This is another thing that I agree with. The built in use of sessions using the /tmp directory is great and gets lots of people into the ball park rather quickly, but scaling upwards is obvioulsy a different story all together.
SP: What's been the most surprising or innovative use of PHP you've seen on the Internet?
RL: I keep seeing new and weird things, the latest being Wez Furlong's ActiveScript SAPI module, which lets you do client-side PHP like this:
This is something that I'm surprised more people haven't mentioned. I was stunned! Does anyone care to comment on this? I want to make sure I'm understanding this correctly.