[Phpmyadmin-devel] Re: globals
Michal Čihař
michal at cihar.com
Thu Dec 8 11:05:01 CET 2005
On Thu, 08 Dec 2005 11:49:45 -0500
Marc Delisle <Marc.Delisle at cegepsherbrooke.qc.ca> wrote:
> Ok, I am getting lost in all those threads. I guess it's time to vote.
> I'll try to summarize the issues:
>
> - remove grab_globals, moving the GLOBALS overwrite protection into
> common.lib.php
Okay.
> - everywhere in the code, find the variables that were set from
> grab_globals and replace them by $_REQUEST['foo'] if they originated
> from GET, POST or COOKIE, or by a reference to $_FILES, $_ENV or
> $_SERVER. Possibly taking into account that $_ENV might not be readable
> (use of getenv() ?)
Yes, getenv should be safer choice.
> - sanitize individually what can be echoed (like $message) with
> PMA_sanitize(), for XSS protection. Any need to sanitize something else?
IMHO not.
> - (later) in an effort to clean global space, replace $str by constants
Okay.
--
Michal Čihař | http://cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20051208/b4bd6e24/attachment.sig>
More information about the Developers
mailing list