Page 1 of 2

Interesting View from the Creator of PHP

Posted: Wed Sep 04, 2002 11:39 am
by JPlush76
here is a snippet from an article I read with the creator of PHP, Rasmus Lerdorf on REGISTER GLOBALS = OFF
SP: What are your views on Magic Quotes and Register Globals?

RL: Register Globals is one of the features that brought people to PHP. The simplicity of creating Web applications when form and other variables were automatically available could not be beaten.

I was personally not in favour of turning Register Globals off by default. It adds very little to the overall security of an application. If people do not check data coming from the user then with or without Register Globals enabled that application is going to be insecure.

The only time having Register Globals off helps is when you forget to initialize a variable before you use it and someone who knows your code exploits that. By changing the error reporting level you can have PHP find these cases for you automatically. So in the end, all I think turning Register Globals off has done is make writing PHP apps more complicated.

And it has of course also generated 10-20 questions/bug reports per day from users who are confused about this change.

http://www.webmasterbase.com/article/767

Posted: Wed Sep 04, 2002 3:54 pm
by Takuma
Mmmm :?
OK, so he doesn't like the REGISTER GLOBALS being OFF. I first thought of that but I'm now use to use $_POST etc. But the problem with this is that in older versions of PHP you can't use it so... :roll:

It definitely confused me at first.

Posted: Wed Sep 04, 2002 9:28 pm
by phice
I found the server-side PHP scripting sounds interesting..

Posted: Thu Sep 05, 2002 10:45 am
by volka
do you mean client-side?
SP: What's been the most surprising or innovative use of PHP you've seen on the Internet?

RL: I keep seeing new and weird things, the latest being Wez Furlong's ActiveScript SAPI module, which lets you do client-side PHP like this: ....

Posted: Thu Sep 05, 2002 1:54 pm
by phice
errr, yes. I kept typo'ing. :P

Posted: Mon Sep 09, 2002 4:10 pm
by BDKR
I agree with what Rasmus has to say, but even before 4.2 and the change from $HTTP_POST_VAR to _$POST, I had allready changed my personal standard to using the $HTTP_POST(or GET)_VARS array and found that it helps a lot from the viewpoint of uniformity.

Not saying that you have to be uniform!

Later on,
BDKR

Posted: Mon Sep 09, 2002 9:58 pm
by phice
Before PHP 4.2, was there a $HTTPS_GET/POST_VARS?

If not, that's probably why they made the move.

Posted: Tue Sep 10, 2002 1:24 am
by Takuma
I don't know... :oops: I probably think there was somethings similar or the same one.

Posted: Tue Sep 10, 2002 1:56 am
by twigletmac
The $HTTP_xxx_VARS arrays have been around since version 3 IIRC. Lots of people didn't know they existed or didn't bother using them which is what I guess forced the change to register globals being off since there were probably loads of very insecure login scripts out there.

Mac

Posted: Tue Sep 10, 2002 5:05 am
by mikeq
So what is the best thing to do. Have them On or Off?

Posted: Tue Sep 10, 2002 5:16 am
by twigletmac
I'd go for off. It won't make a lot of difference to the security of your code (you can still use $_REQUEST after all) but since register_globals has been deprecated it will be removed in a later version of PHP. At some point you won't be able to just edit the php.ini and turn it on so it's probably best to get used to life without it no matter what version of PHP you have.

Some hosts may leave it off too believing that it offers greater security as will many individuals running their own webservers, therefore code written that can only run with reg_globals on is not as portable as code written to work with it off hence the number of problems we see in the forum.

To conclude:
If you want to write code that'll work in a few years time and you want to be able to move your code to servers that may or may not have reg_globals turned on, turn it off.

Mac

Posted: Tue Sep 10, 2002 5:43 am
by mikeq
Thanks for the reply twigletmac :)

Posted: Tue Sep 10, 2002 6:56 am
by jason
Write for register_globals off of course, and not for the reason of portability. Using $_GET['username'] is much more telling than $username. Using these global variables make your code more readable, and make writing functions and classes that use them easier as well.

On sessions and other stuff....

Posted: Tue Sep 10, 2002 9:27 am
by BDKR

SP: Current 'session' variables use disk space (e.g. /tmp) which is no good for high-traffic sites. Are there plans to remedy this?


RL: Right from day one of the session support in PHP, we provided a shared memory backend session handler. Just set your handler to mm instead of files in php.ini. However, for high-traffic sites this is not the solution. The real solution is to load-balance the site across multiple servers.

Having session data in memory on a single machine doesn't solve anything. For this, you write yourself a session save handler and stick your session data into a central database of some sort. See http://php.net/ session_set_save_handler.
This is another thing that I agree with. The built in use of sessions using the /tmp directory is great and gets lots of people into the ball park rather quickly, but scaling upwards is obvioulsy a different story all together.

SP: What's been the most surprising or innovative use of PHP you've seen on the Internet?


RL: I keep seeing new and weird things, the latest being Wez Furlong's ActiveScript SAPI module, which lets you do client-side PHP like this:

Code: Select all

<html>
  ...
  <script language="ActivePHP">
    function clickit() &#123;
      $GLOBALS&#1111;"window"]->open("http://www.php.net");
    &#125;
  </script>
  ...
  <img src="..." onclick="clickit();" />
</html>
This is something that I'm surprised more people haven't mentioned. I was stunned! Does anyone care to comment on this? I want to make sure I'm understanding this correctly.

Cheers,
BDKR

Posted: Tue Sep 10, 2002 11:27 am
by Takuma
I've never heard of ActivePHP