[Phpmyadmin-devel] Removing of grab_globals
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Wed Dec 7 07:49:26 CET 2005
Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>
>>> i think in most cases PMA should use $_REQUEST directly and use one
>>> of the above function only to set default values
>>>
>>> using of $_REQUEST makes it more clear where this variable came from,
>>> reminding the developer always to take care with this variables!
>>
>>
>> I don't understand why using $_REQUEST makes more clear where this
>> variable came from. In $_REQUEST, variables can come from EGPCS, as
>> defined by the variables_order directive. I think that it's better to
>> say explicitly where we expect each variable to come from.
>
>
> $_REQUEST holds only $_POST, $_GET, $_COOKIE, normally in this order
Not according to
http://www.php.net/manual/en/ini.core.php#ini.variables-order
>
> and it makes clear that this variable came from outside and has to be
> handled with care, of course the other superglobals too
So why not go with the clearer way?
>
>
>>> and i think its not good to always 'clean' variables
>>>
>>> what will you clean of? you can not decide what users inserts into
>>> her database or they name her tables and fields
>>
>>
>> We have many possible sources for an attack. An evident one is with
>> the variables that are echoed back (partly checked with
>> PMA_sanitize(), for example in sql.php. But there are other sources,
>> like attacks on $_FILES.
>
>
> $_Files is only used in import or binary upload, in this rare places
> this Array should be handled explicitly
>
>
Ok.
More information about the Developers
mailing list