为什么REGISTER_GLOBALS这么糟糕? [英] Why is REGISTER_GLOBALS so bad?

问题描述

我不是PHP开发人员，但我在很多地方看到人们似乎将其视为瘟疫之类.为什么?

I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?

推荐答案

REGISTER_GLOBALS意味着通过GET或POST传递的所有变量都可以作为脚本中的全局变量使用.由于访问未声明的变量不是PHP中的错误(这是警告)，因此可能导致非常讨厌的情况.请考虑一下，例如:

REGISTER_GLOBALS means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:

<?php
// $debug = true;
if ($debug) {
    echo "query: $query\n";
}

这本身不是一件坏事(精心设计的代码不应生成警告，因此不应访问任何可能未声明的变量(出于相同的原因也不应 ) )，但PHP代码通常质量很低，从而导致这种安全漏洞.

It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.

这篇关于为什么REGISTER_GLOBALS这么糟糕?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！