Hi
Dne Tue, 21 Feb 2012 08:18:45 -0500
Marc Delisle <marc(a)infomarc.info> napsal(a):
When Michal talked about register globals, he
meant that in
grab_globals.lib.php, we take some variables from superglobals (except
some that are in a blacklist) and make them globals, so that the other
scripts can work with them.
Yes, basically this was introduced as short term hack before we get rid
of using globals. However it stayed longer than everyone did expect.
In grab_globals.lib.php, we could output to a
trace file the names of
the variables that are globalized, then verify in the code where these
global variables are used.
In pretty much everything we use $db/$table, so these would be obvious.
> Also,
I suggest to get rid of $_REQUEST, because the origin of its
> contents is unclear. Ideally, at every place where we refer to
> $_REQUEST, a comment should explain the possible origin of the contents.
What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST?
I don't see another way of getting the values of url variables.
Yes; it could be $_COOKIE also, see
http://www.php.net/manual/en/reserved.variables.request.php.
I'm not 100% confident about need to differentiate between GET/POST,
however cookies should be surely treated differently (what I believe is
already the case).
I have removed some lines from grab_globals.lib.php. I am currently
testing the impact of removing the globalization of $_GET on
server_privileges.php.