Le 2012-02-27 15:45, Michal Čihař a écrit :
Hi
Dne Tue, 21 Feb 2012 08:18:45 -0500 Marc Delisle marc@infomarc.info napsal(a):
When Michal talked about register globals, he meant that in grab_globals.lib.php, we take some variables from superglobals (except some that are in a blacklist) and make them globals, so that the other scripts can work with them.
Yes, basically this was introduced as short term hack before we get rid of using globals. However it stayed longer than everyone did expect.
In grab_globals.lib.php, we could output to a trace file the names of the variables that are globalized, then verify in the code where these global variables are used.
In pretty much everything we use $db/$table, so these would be obvious.
Also, I suggest to get rid of $_REQUEST, because the origin of its contents is unclear. Ideally, at every place where we refer to $_REQUEST, a comment should explain the possible origin of the contents.
What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST? I don't see another way of getting the values of url variables.
Yes; it could be $_COOKIE also, see http://www.php.net/manual/en/reserved.variables.request.php.
I'm not 100% confident about need to differentiate between GET/POST, however cookies should be surely treated differently (what I believe is already the case).
I have removed some lines from grab_globals.lib.php. I am currently testing the impact of removing the globalization of $_GET on server_privileges.php.