PHP 6 keeps register globals after all.
Posted: Tue Apr 01, 2008 4:36 am
Something on the PHP 6 mailing list this morning...
"Register globals are the source of many application's security problems and cause a constant grief. We shortly discussed how we want to attend users on the disappearance of this functionality. We decided that if we find the setting during the startup of PHP we raise an E_CORE_ERROR which will prevent the server from starting with a message that points to the documentation. However, due to the use of globals across so many existing open source apps it has been decided that rather than an E_CORE_ERROR we will raise an E_WARNING instead, allowing users to retain globals if required by their code - Faro Poill"
That's quite a u-turn.
"Register globals are the source of many application's security problems and cause a constant grief. We shortly discussed how we want to attend users on the disappearance of this functionality. We decided that if we find the setting during the startup of PHP we raise an E_CORE_ERROR which will prevent the server from starting with a message that points to the documentation. However, due to the use of globals across so many existing open source apps it has been decided that rather than an E_CORE_ERROR we will raise an E_WARNING instead, allowing users to retain globals if required by their code - Faro Poill"
That's quite a u-turn.