[Phpmyadmin-devel] Removing of grab_globals

[Sebastian Mendel]

Marc Delisle schrieb:

>> i think in most cases PMA should use $_REQUEST directly and use one of 
>> the above function only to set default values
>>
>> using of $_REQUEST makes it more clear where this variable came from, 
>> reminding the developer always to take care with this variables!
> 
> I don't understand why using $_REQUEST makes more clear where this 
> variable came from. In $_REQUEST, variables can come from EGPCS, as 
> defined by the variables_order directive. I think that it's better to 
> say explicitly where we expect each variable to come from.

$_REQUEST holds only $_POST, $_GET, $_COOKIE, normally in this order

and it makes clear that this variable came from outside and has to be 
handled with care, of course the other superglobals too


>> and i think its not good to always 'clean' variables
>>
>> what will you clean of? you can not decide what users inserts into her 
>> database or they name her tables and fields
> 
> We have many possible sources for an attack. An evident one is with the 
> variables that are echoed back (partly checked with PMA_sanitize(), for 
> example in sql.php. But there are other sources, like attacks on $_FILES.

$_Files is only used in import or binary upload, in this rare places 
this Array should be handled explicitly


-- 
Sebastian Mendel

www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet