Hi!
- remove grab_globals, moving the GLOBALS overwrite protection into common.lib.php
+0 :)
- everywhere in the code, find the variables that were set from grab_globals and replace them by $_REQUEST['foo'] if they originated from GET, POST or COOKIE, or by a reference to $_FILES, $_ENV or $_SERVER. Possibly taking into account that $_ENV might not be readable (use of getenv() ?)
+1
- sanitize individually what can be echoed (like $message) with PMA_sanitize(), for XSS protection. Any need to sanitize something else?
I'm +1 for sanitizing all output depending on whether HTML is allowed or not. However I admit I haven't looked at the current code for ages. :(
- (later) in an effort to clean global space, replace $str by constants
+1 Regards, Garvin -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org ++ Make me happy | http://wishes.garv.in