Story Time: Register Globals WTF

Posted by santosj on October 8, 2006

Master Debater

I am not a master debater. Giving the skewed and half-baked argument made me feel like some punk n00b pretending to be an elitist, while trying to put down the little man.

I pointed out that using Super Globals was for security reasons. Not exactly the truth, but hey, the ends justify the means. I did do some filtering and regex, along with the database escape string function. Should block the novice hacker, doubted any hardcore would want to break such a low traffic site anyway. I was wrong, but that story was already told.

Ah ha! Once PHP 6 is out the debate can be more than, “Just F**king Don’t Use It!” It can be about Unicode and internationalization. Which is funny, because probably wouldn’t be using any of that anyway. It would be nice to be able to add it later, when the audience requests it.

Conclusion

Don’t argue. Just edit it and hope for the best. If you were able to convince a coder, then good for you. Hopefully, the new generation will be able to develop without using Register Globals and the community will be better for it.

Thank you PHP Developers! You rock for the upcoming work on PHP 6.

Possibly Related Posts:


Pages: 1 2
Projects

3 Comments.

  1. stefan October 9, 2006 at 2:59 am

    Well, it *is* about security, to some extent. When you just use the variable names, you never know where it comes from, which makes checking for security a big problem. If you know where the data comes from, you know how to treat it.

    Of course, having register globals turned on in the first place is the biggest problem, because then even the variables that you deem “local” may actually have been injected into the application using GET. It should simply be turned off. And for that PHP6 will rule big time :)

  2. Jacob Santos October 9, 2006 at 9:27 am

    Well, I simply stated that using the Super Globals improved security, but it still needed to be filtered and checked, which I left as implied. I’m not a l33t security master like Chris, so I just sort of half ass explain security measures as I hear them.

    To be honest, I was able to convince one such developer and I’m looking forward to doing the code review. Another game (by another developer), I’m not so sure. Probably not bother doing a code review and just rewrite everything.

  3. Jacob Santos October 9, 2006 at 9:30 am

    “PHP 6 will rule big time,” I agree, but also for other features. Have you seen the TextIterator? Damn sexy. I’m looking forward to that.