phptest-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phptest-devel] register_globals and PHP security


From: John Lacey
Subject: [Phptest-devel] register_globals and PHP security
Date: Sun, 14 Jul 2002 09:00:21 -0600

Brandon,

After researching the register_globals issue and giving consideration to
where PHP is heading, in terms of getting serious about security, I've
decided the best direction phpTest could take in this area is to lead by
following suit.  Of course, I would want to continue to work on this part of
the project for the reasons I mentioned in a previous email.

In your first response to me after I sent along kudos and some ideas in
early June, you indicated that you intended to make phtTest the only
reasonable choice for online testing.  I believe there are compelling
reasons to synchronize phpTest with the fact that it was released to the
public after version 4.2.0 with register_globals off, and also after the
4.1.0 announcement to do so.  I also believe hosting companies will have a
strong reason to upgrade their PHP interpreters to reflect the commitment to
securing PHP with the recent introduction of the new superglobal arrays
($_POST, $_SESSION, et al).

The immediate issue, imho, is the decision that needs to be made to take
phpTest forward with a requirement that it be run with PHP 4.2.0, at
minimum.  What a shame it would be if people refused to host phpTest because
of  their concerns about PHP script security.  It would be to everyone's
loss.

Your thoughts?
John




reply via email to

[Prev in Thread] Current Thread [Next in Thread]