php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15969 Observation on deprecation of register_globals
Submitted: 2002-03-08 23:33 UTC Modified: 2002-07-02 17:11 UTC
From: colins at infofind dot com Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 4.1.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: colins at infofind dot com
New email:
PHP Version: OS:

 

 [2002-03-08 23:33 UTC] colins at infofind dot com
We love PHP and our business relies upon it.  I want to lobby for NOT deprecating register_globals in future releases.  This will break a huge amount of code we have written and involve a major effort in repairing it, if register_globals is permanently set to NO.
I thoroughly agree with all your security issues and any new code should be written on the assumption that it is set to NO.  But ultimately it should be left to the user to decide whether or not to enable it, not have it dictated to him.
All this IMHO, but I hope you will open a dialog to see how others feel about it.
Thanks,
Colin
PS. I realize this is not a bug but couldn't find a better place on the web site to express my opinion.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-09 03:01 UTC] mfischer@php.net
Open a dialog about a discussion which relaxes PHP's security badly? Of course it IS the developers fault who are NOT aware of the implications when using register_globals on. There is nothing else the PHP Team can to then make serious default setting of those developers are not able to understand what they are doing.

And for you, it's changing one line in the INIs so what?

If it's your ISP who decides to let this be disabled by default that it's a good ISP. If that's what you complain about, complain at your ISP (who, honestly, should not relax this feature).
 [2002-03-09 08:49 UTC] sniper@php.net
As of PHP 4.1.0 there is this function:

http://www.php.net/manual/en/function.import-request-variables.php

 [2002-03-09 13:22 UTC] colins at infofind dot com
I think maybe one of us is missing the point (and it's probably me!).  php.ini-recommended says:
"Note that register_globals is going to be depracated (sic)(i.e., turned off by default) in the next version of PHP, because it often leads to security bugs."
I take this to mean that register_globals will off permanently and cannot be turned back on, even in the INI.
But if it means that it will default to OFF but can still be turned ON in the INI, then I have no complaint.  This would protect the novice but allow those who understand the implications to turn it on.  Although the latter doesn't sound to be any more than how the distribution INIs are written.
My issue is not the wisdom of having it ON or OFF, just the wisdom of taking away the option of choosing from the PHP system administrator.
Avaliability of functions like that suggested by sniper are fine, but would still take a huge effort to change all the code and the potential is high for breaking any part of it by missing one place to add the function.
You comments and thoughts are appreciated.
Colin
 [2002-03-09 14:09 UTC] philip@php.net
See also: import_request_variables() and extract() for ways to deal with this issue.
 [2002-03-09 14:51 UTC] philip@php.net
In PHP, deprecated means "Maybe one day it won't work but not sure if/when that'll be exactly, here's why you shouldn't use this..."  I assume register_globals will work for awhile, and nobody knows when (or if) it won't (yet).

So the question is "When will register_globals not work?"  A good question indeed.  Not a documentation problem as nobody has the answer, yet.
 [2002-03-10 13:02 UTC] colins at infofind dot com
Philip,
Thanks for the PHP definition of "deprecated".  The American Heritage Dictionary defines it as "To expressly disapprove of; protest or plead against - from the latin deprecari  - to ward off by prayer". (I like the latin definition <grin>.)
I think the usage in software circles is generally taken to mean "this is going away sometime in the future".
In any definition, I reinterate my original statement that I lobby for it never going away, just defaulting to NO with the option to set to YES in the INI (effectively as the php.ini-recommended has it now.)
Colin
 [2002-06-01 19:27 UTC] philip@php.net
I'm going to assume that register_globals will forever be an available PHP directive (I hope so).  Especially after seeing the impact changing the default to off has made.  Is there an official word on this?

Btw, I like the latin definition too :)
 [2002-07-02 17:11 UTC] sterling@php.net
Btw, profound observations of the meaning of depreciated are best left to private mail.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jan 28 06:03:41 2022 UTC