为什么REGISTER_GLOBALS这么糟糕? [英] Why is REGISTER_GLOBALS so bad?
问题描述
我不是PHP开发人员,但我在很多地方看到人们似乎将其视为瘟疫之类.为什么?
I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?
推荐答案
REGISTER_GLOBALS
意味着通过GET或POST传递的所有变量都可以作为脚本中的全局变量使用.由于访问未声明的变量不是PHP中的错误(这是警告),因此可能导致非常讨厌的情况.请考虑一下,例如:
REGISTER_GLOBALS
means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:
<?php
// $debug = true;
if ($debug) {
echo "query: $query\n";
}
这本身不是一件坏事(精心设计的代码不应生成警告,因此不应访问任何可能未声明的变量(出于相同的原因也不应 ) ),但PHP代码通常质量很低,从而导致这种安全漏洞.
It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS
for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.
这篇关于为什么REGISTER_GLOBALS这么糟糕?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!