[Phpmyadmin-devel] globals

Garvin Hicking phpmyadmin at supergarv.de
Thu Dec 8 11:45:07 CET 2005


> - remove grab_globals, moving the GLOBALS overwrite protection into
> common.lib.php

+0 :)

> - everywhere in the code, find the variables that were set from
> grab_globals and replace them by $_REQUEST['foo'] if they originated from GET,
> POST or COOKIE, or by a reference to $_FILES, $_ENV  or
> $_SERVER. Possibly taking into account that $_ENV might not be readable
> (use of getenv() ?)


> - sanitize individually what can be echoed (like $message) with
> PMA_sanitize(), for XSS protection. Any need to sanitize something else?

I'm +1 for sanitizing all output depending on whether HTML is allowed or not.
However I admit I haven't looked at the current code for ages. :(

> - (later) in an effort to clean global space, replace $str by constants



++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

More information about the Developers mailing list