Woe is the PHP hosting provider that thinks leaving register_globals on is a good thing. At lunch today, the PICnet gang was chatting about security vulnerabilities that were occuring in many Joomla 3rd party components. The problem is that our wonderful Joomla core was taking flack for not being secure, but at the end of the day all the hacks seemed to be occuring because of poor programming and server hosts leaving on the dreaded "register_globals" on their servers.

I mean, this is PHP hosting 101, right?

Unfortunately, one of our great clients had a server that had register_globals turned on, and the hacker took full advantage. Moral of the story, please, please, check to make sure that register_globals is turned off. If your hosting provider has it turned on, turn and run the other way.

Now, to take this to the next step, Johannes Ullrich over at the Internet Storm Center wrote his Tip of the Day on PHP security today. Read more for some excerpts of how you can protect your code.

As LinuxWorld San Francisco gets ready to take off, the Joomla team and I spent the day fighting for good booth space, popping up a wifi spot, grabbing some drinks in Pacific Heights, and generally getting ready for the mayhem to begin.