Re: [Phptest-devel] security and older interpreters

[dj resonance]

The PHP developers have stressed security for awhile
now, they just didn't turn on alot of the security
options by default (register_globals for example). 
The fact is, code that doesn't use the $_POST, etc
variable can be written securely too, as long as it is
thought about up front.  Again, I don't see a reason
to switch to the new superglobal arrays because there
is no benefit to be gained from them.  Yes, webhosts
who are using later versions of phptest may have the
latest patches and security fixes, but changing all of
phptest to reflect the new superglobals would be dumb,
because it locks out the majority of users.  Also note
that I'm not using, nor have I come across any feature
I'd like to use that is post 4.1.0 only.  Let's just
keep the $HTTP_*_VARS variables.  Yes, security is
broader than just using aliases, but there is no
reason you can't write secure code with php < 4.1.0.

Brandon

--- John Lacey <address@hidden> wrote:
> Brandon,
> 
> It occurred to me that my comments about the 4.2.0
> minimum requirement going
> forward might be misinterpreted.  I should have
> included a suggestion that
> once the new features you are thinking about are
> implemented, that version
> of phpTest could be "frozen" with the occasional bug
> fixed as necessary.
> That way users, whose hosting providers are running
> interpreters below 4.2.0
> (beaucoup), would not be locked out from utilizing
> an older version of
> phpTest with a fairly rich feature set.  An
> announcement could be made about
> the plan up front, so that separate forks would not
> have to be upgraded and
> maintained (a very bad thing, indeed).
> 
> Again, I appreciate the fact that security is a much
> broader issue than
> simply using aliases in place of $HTTP_*_VARS, so
> there would be a fair
> amount of work involved in the process.  The PHP
> folks seem to be just
> beginning to attack security issues, so who knows
> what other changes may be
> forthcoming in the next few years.  Maybe they'll
> even come out with some
> doofus logo saying "PHProtectIT" so people can
> happily plaster it on their
> site. :)
> 
> Finally, you could choose to bag the entire idea
> figuring there's nothing to
> be gained by using the new input mechanisms at this
> point, having the
> product in your head.  My take on that would be
> philosophical, figuring
> I've "done my job" as an interested contributor in
> submitting new ideas, or
> code, or whatever I can.
> 
> John
> 
> 
> _______________________________________________
> Phptest-devel mailing list
> address@hidden
>
http://mail.freesoftware.fsf.org/mailman/listinfo/phptest-devel


__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com