NYCPHP Meetup

[Malcolm, Gary]

plus using php's myriad and fantastic array manipulation functions directly
on $_SESSION and $_POST ends up making
code very consistent and clear.

hint: extract()ing the SESSION or POST makes for less typing :)

> -----Original Message-----
> From: Hans Zaunere [mailto:hans at nyphp.org]
> Sent: Wednesday, 07 May, 2003 2:30 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] Global settings in PHP
> 
> 
> 
> Hi Anthony,
> 
> --- Anthony Tanzola <anthony at emr.net> wrote:
> > Hey List!
> > 
> > I am somewhat new to php, though not to web development.  I 
> am attempting
> > to
> > send information from a web form to a php document.  I then 
> want to create
> > session variables and have the ability to manipulate the 
> session variables
> > as needed.
> > 
> > The book I have use examples throughout that require the 
> following setting
> > in the php.ini file:
> > 
> > register_globals = On
> 
> Hark!  Burn that book!
> 
> Seriously though, I would not use that book to learn from.  
> register_globals
> = On is a curse from the early days of PHP and needs to be 
> eliminated, for
> several reasons.
> 
> 1) Security - a user can override variables in your script 
> and cause absolute
> havoc very easily.
> 
> 2) Style - As I've said, register_globals has probably been 
> the one setting
> that has hurt PHP's reputation as an 'Enterprise Solution.'  
> Granted, I don't
> know what that means either, but it's not good programming 
> style to use it.
> 
> 3) Compatibility - Modern version of PHP (since about 4.2.x I 
> think) default
> to register_globals = Off.  As such, your scripts won't work 
> with modern
> servers and any convienence you've found in using it now will 
> be dwarfed by
> future dealings with your server administrator, other 
> developers, users and
> the public in general.
> 
> 4) People will laugh at you!
> 
> Sorry to be so harsh, but I feel very strongly about this one  :)
> 
> > This elevates the need for $_POST["my_posted_data"] when 
> retrieving posted
> > data.
> 
> Absolutely, and the superglobals (ie $_POST, $_GET) make it a 
> breeze.  Just a
> tip, though, unless there's a dollar sign (variable) inside 
> the braces, use
> single quotes.  $_POST['my_posted_data'] is much faster.
> 
> > Also it allows me to register session variables as such:
> > 
> > session_register("variable_1", "variable_2", "variable_3", 
> "variable_4",
> > "variable_5", "variable_6")
> > 
> > as well as do other things with sessions.
> > 
> > I am wondering what the pros and cons are of setting 
> globals to "on".  It
> > seams to be a convenience, but are there any downsides or 
> security issues?
> 
> Yeah, basically all cons.  The only pro could be considered short-term
> convenience, but as I mentioned, you'll end up paying for it.
> 
> H
> 
> 
> 
> --- Unsubscribe at http://nyphp.org/list/ ---
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20030507/f1f0a3ce/attachment.html>