[Phpmyadmin-devel] Removing of grab_globals

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Wed Dec 7 07:49:26 CET 2005


Sebastian Mendel a écrit :
> Marc Delisle schrieb:
> 
>>> i think in most cases PMA should use $_REQUEST directly and use one 
>>> of the above function only to set default values
>>>
>>> using of $_REQUEST makes it more clear where this variable came from, 
>>> reminding the developer always to take care with this variables!
>>
>>
>> I don't understand why using $_REQUEST makes more clear where this 
>> variable came from. In $_REQUEST, variables can come from EGPCS, as 
>> defined by the variables_order directive. I think that it's better to 
>> say explicitly where we expect each variable to come from.
> 
> 
> $_REQUEST holds only $_POST, $_GET, $_COOKIE, normally in this order

Not according to
http://www.php.net/manual/en/ini.core.php#ini.variables-order

> 
> and it makes clear that this variable came from outside and has to be 
> handled with care, of course the other superglobals too

So why not go with the clearer way?
> 
> 
>>> and i think its not good to always 'clean' variables
>>>
>>> what will you clean of? you can not decide what users inserts into 
>>> her database or they name her tables and fields
>>
>>
>> We have many possible sources for an attack. An evident one is with 
>> the variables that are echoed back (partly checked with 
>> PMA_sanitize(), for example in sql.php. But there are other sources, 
>> like attacks on $_FILES.
> 
> 
> $_Files is only used in import or binary upload, in this rare places 
> this Array should be handled explicitly
> 
> 
Ok.





More information about the Developers mailing list