Not only that, but for new people, magic_quote_gpc = On
For those not familiar with php, this will escape single quotes in GET/POST/COOKIE data. Helps protect the unfamiliar from things like SQL injection attacks. Once you know what you are doing they can be a bit of a pain in the ass, but for new people, it can help make your code a bit safer.
It will prevent those kinds of attacks at the expense of not teaching you how to write around them. It's really very easy to avoid sql injection attacks. magic_quote_gpc also has this "magic" thing, and you don't always want your data escaped. Sometimes, you do happen to do things other than database work with form data.
I disagree. Your suggestion is the way the US education system tends to work - teach kids the easy way first, then teach them the right way later (and explain why the easy way is wrong).
The magic quotes feature escapes data for use in a query. There are lots of things you can be doing with data, and storing it is just one.
Also, the escaping that magic quotes does is equivalent to the addslashes function. This is a good last resort, but better options exist for many databases - for example, mysql_escape_st
Switch the damn thing off. It\'s a bloody annoying hack which may (or may not be) switched on for a particular web host, meaning that for security reasons your code has to check whether it's switched on or off, and massage data accordingly.:-)
I\'ve got two functions which automatically strip incoming data of any added escaping, because with my form validation stuff the text may either go into an SQL query or back into the form again, with missing fields highlighted. Text might have come out of the database sans escaping, for editing purposes, and I don't want to have to write my forms code to treat data differently depending on its source. If everything\'s plain, unescaped text, it makes things so much simpler...
A couple of simple rules - firstly, when creating a database query, always (integer )$record_id or '".mysql_escape_string( $input_string )."' all variables in your queries, having previously checked them for sanity.
Secondly, keep as much code as possible in defined functions, out of the scope of register_globals idiocy. Yes, it can be switched off, but always assume that it's switched on, and is your enemy. Plus, it's a lot easier to track incoming data in your code when it's all defined at the beginning...
This little aspect is one sure way to find out if the guy doing your PHP is competent. There is no reason to use register_globals unless you don't care about security. If you have an application that uses this feature; if you have a subcontractor "needing" this feature, you might want to save yourself some future trouble and dump them.
" This little aspect is one sure way to find out if the guy doing your PHP is competent."
Yep, if your PHP guy or host tells you that you need to turn register_globals off for security reasons, you know that the twit doesn't know how to code properly. register_globals is only a security problem for badly written code. One reason that applications will use it is because it simplifies PHP3 compatibility for some uses. Of course, there shouldn't be too many PHP3 installs left now, so they should probably ph
All of my code I've used that makes use of register_globals sanity checks everything...strip all codes, tags, slashes, etc. out of every input, and check to make sure the submission comes from a valid established and authenticated session.
Those things make it pretty good, in my experience.
Yep, if your PHP guy or host tells you that you need to turn register_globals off for security reasons, you know that the twit doesn't know how to code properly. register_globals is only a security problem for badly written code.
Bull. There's no good reason to use register globals unless you don't know how to program secure applications. There's NOTHING that can be done with register_globals on that can't be done with register_globals=off, except expose slacker, lame programmers and lame applications.
I think the grandparent was correct. Register_globals really is only a security problem for badly written code. The question is, where to find a programmer who can guarantee that all of their code is well written. I know mine isn't...
"There's no good reason to use register globals unless you don't know how to program secure applications."
That is entirely bass ackwards. If you don't know how to program properly, you should have register_globals turned off. If you do know how to code properly, then it doesn't matter if register_globals is off or on. Well written code is inherently immune to exploit of register_globals.
With the demise of PHP3, there is no reason not to write code that is compatible with register_globals off. However,
That is entirely bass ackwards. If you don't know how to program properly, you should have register_globals turned off. If you do know how to code properly, then it doesn't matter if register_globals is off or on. Well written code is inherently immune to exploit of register_globals.
There is not a programmer on this planet that consistently writes perfect, secure code.
Your attitude is analagous to saying, "If you are always watching your front door, there's no reason to lock it." Only a fool uses reason
Heard that the next Space Shuttle is supposed to carry several Guernsey cows?
It's gonna be the herd shot 'round the world.
register_globals = off (Score:5, Informative)
Re:register_globals = off (Score:2, Informative)
magic_quote_gpc = On
For those not familiar with php, this will escape single quotes in GET/POST/COOKIE data. Helps protect the unfamiliar from things like SQL injection attacks. Once you know what you are doing they can be a bit of a pain in the ass, but for new people, it can help make your code a bit safer.
Ack! (Score:2, Informative)
magic_quotes_gpc = On
That's quotes, plural. Sorry for any confusion.
Re:register_globals = off (Score:3, Insightful)
Just Say No (Score:2)
I disagree. Your suggestion is the way the US education system tends to work - teach kids the easy way first, then teach them the right way later (and explain why the easy way is wrong).
The magic quotes feature escapes data for use in a query. There are lots of things you can be doing with data, and storing it is just one.
Also, the escaping that magic quotes does is equivalent to the addslashes function. This is a good last resort, but better options exist for many databases - for example, mysql_escape_st
Re:register_globals = off (Score:5, Funny)
Switch the damn thing off. It\'s a bloody annoying hack which may (or may not be) switched on for a particular web host, meaning that for security reasons your code has to check whether it's switched on or off, and massage data accordingly.
I\'ve got two functions which automatically strip incoming data of any added escaping, because with my form validation stuff the text may either go into an SQL query or back into the form again, with missing fields highlighted. Text might have come out of the database sans escaping, for editing purposes, and I don't want to have to write my forms code to treat data differently depending on its source. If everything\'s plain, unescaped text, it makes things so much simpler...
A couple of simple rules - firstly, when creating a database query, always (integer )$record_id or '".mysql_escape_string( $input_string )."' all variables in your queries, having previously checked them for sanity.
Secondly, keep as much code as possible in defined functions, out of the scope of register_globals idiocy. Yes, it can be switched off, but always assume that it's switched on, and is your enemy. Plus, it's a lot easier to track incoming data in your code when it's all defined at the beginning...
page_record_input( ACTION_EDIT, array_unescape( $_POST['input_record'] ), (integer )$_GET['record_id'] );
And lastly, always assume that your users are out to get you. Validate all data, and assume everything and everyone is hostile.
Re:register_globals = off (Score:1)
Apart from that validate thing, you'd make a good POTUS.
Re:register_globals = off (Score:2)
Re:register_globals = off (Score:2)
He presumably knows that given that his advice was to leave it off.
Re:register_globals = off (Score:2)
Re:register_globals = off (Score:2)
Yep, if your PHP guy or host tells you that you need to turn register_globals off for security reasons, you know that the twit doesn't know how to code properly. register_globals is only a security problem for badly written code. One reason that applications will use it is because it simplifies PHP3 compatibility for some uses. Of course, there shouldn't be too many PHP3 installs left now, so they should probably ph
Re:register_globals = off (Score:2)
Those things make it pretty good, in my experience.
Re:register_globals = off (Score:3, Informative)
Bull. There's no good reason to use register globals unless you don't know how to program secure applications. There's NOTHING that can be done with register_globals on that can't be done with register_globals=off, except expose slacker, lame programmers and lame applications.
Re:register_globals = off (Score:2)
Re:register_globals = off (Score:2)
That is entirely bass ackwards. If you don't know how to program properly, you should have register_globals turned off. If you do know how to code properly, then it doesn't matter if register_globals is off or on. Well written code is inherently immune to exploit of register_globals.
With the demise of PHP3, there is no reason not to write code that is compatible with register_globals off. However,
Re:register_globals = off (Score:2)
There is not a programmer on this planet that consistently writes perfect, secure code.
Your attitude is analagous to saying, "If you are always watching your front door, there's no reason to lock it." Only a fool uses reason