[Phpmyadmin-devel] Removing of grab_globals

Sebastian Mendel lists at sebastianmendel.de
Wed Dec 7 07:29:50 CET 2005

Marc Delisle schrieb:

>> i think in most cases PMA should use $_REQUEST directly and use one of 
>> the above function only to set default values
>> using of $_REQUEST makes it more clear where this variable came from, 
>> reminding the developer always to take care with this variables!
> I don't understand why using $_REQUEST makes more clear where this 
> variable came from. In $_REQUEST, variables can come from EGPCS, as 
> defined by the variables_order directive. I think that it's better to 
> say explicitly where we expect each variable to come from.

$_REQUEST holds only $_POST, $_GET, $_COOKIE, normally in this order

and it makes clear that this variable came from outside and has to be 
handled with care, of course the other superglobals too

>> and i think its not good to always 'clean' variables
>> what will you clean of? you can not decide what users inserts into her 
>> database or they name her tables and fields
> We have many possible sources for an attack. An evident one is with the 
> variables that are echoed back (partly checked with PMA_sanitize(), for 
> example in sql.php. But there are other sources, like attacks on $_FILES.

$_Files is only used in import or binary upload, in this rare places 
this Array should be handled explicitly

Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list