Op 21 februari 2012 12:33 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-02-21 04:43, Michal Čihař a écrit :
Hi
all, I think we can agree on register globals being evil. So let's do radical breakage in master and remove ./libraries/grab_globals.lib.php. I know lot of things will get broken, but this is something what needs to be done for 4.0 and I think it should be done ASAP to prevent any new code using this.
So I don't give you question whether to do this, but rather when to do this with possible rationale for the choice:
- right now - anyway people should be using QA_3_5 so master breakage
should not matter
- after releasing 3.5 - developers can focus on master after releasing
3.5
- after releasing 3.5.1 - final release 3.5 will most likely bring lot
of bug reports, which will need to be fixed in 3.5.1
I think that right now is a good time, before we get too busy with 3.5.1.
What do you suggest? remove the library, add a big warning to demo and then test everything?
Harsh, but effective. It might break some functionality for some time, but it probably is the fastest way. Unless there is a way of detecting every place were this register_globals is needed?
Also, I suggest to get rid of $_REQUEST, because the origin of its contents is unclear. Ideally, at every place where we refer to $_REQUEST, a comment should explain the possible origin of the contents.
What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST? I don't see another way of getting the values of url variables.
Maybe we could create a function/class to get the value of a POST/GET variable and check the validity? I mean, if you need input from a url variable, you call the function with some parameters : variable name, allowed origin (POST, GET, COOKIE, SESSION, ...), type of data (string, bool, int, ...); and the function checks this and returns the value if it is safe. So all $_REQUEST, $_POST, $_GET, $_COOKIE, ... in the code should be replaced by a call to this function. What do you think?
Kind regards,
Dieter