On Thu, 08 Dec 2005 11:49:45 -0500 Marc Delisle Marc.Delisle@cegepsherbrooke.qc.ca wrote:
Ok, I am getting lost in all those threads. I guess it's time to vote. I'll try to summarize the issues:
- remove grab_globals, moving the GLOBALS overwrite protection into
common.lib.php
Okay.
- everywhere in the code, find the variables that were set from
grab_globals and replace them by $_REQUEST['foo'] if they originated from GET, POST or COOKIE, or by a reference to $_FILES, $_ENV or $_SERVER. Possibly taking into account that $_ENV might not be readable (use of getenv() ?)
Yes, getenv should be safer choice.
- sanitize individually what can be echoed (like $message) with
PMA_sanitize(), for XSS protection. Any need to sanitize something else?
IMHO not.
- (later) in an effort to clean global space, replace $str by constants
Okay.