[Phpmyadmin-devel] globals

[Sebastian Mendel]

Marc Delisle schrieb:
> Ok, I am getting lost in all those threads. I guess it's time to vote. 
> I'll try to summarize the issues:
> 
> - remove grab_globals, moving the GLOBALS overwrite protection into 
> common.lib.php

+1


> - everywhere in the code, find the variables that were set from 
> grab_globals and replace them by $_REQUEST['foo'] if they originated 
> from GET, POST or COOKIE, or by a reference to $_FILES, $_ENV  or 
> $_SERVER. Possibly taking into account that $_ENV might not be readable 
> (use of getenv() ?)

+1


> - sanitize individually what can be echoed (like $message) with 
> PMA_sanitize(), for XSS protection. Any need to sanitize something else?

use htmlspecialchars() and PMA_sanititze() only if html tags allowed


> - (later) in an effort to clean global space, replace $str by constants

0

i dont know, i have no knowledge about the difference how variables and 
constants handled by PHP

i dont think that this gives performance boost, as not like in other 
languages constants defined first and than replaced in code before 
compiling!

i know the disadvantage of a function i suggested, but using a function 
is much more flexible, f.e. in case of errors or reformating, more 
felxible than sprintf()

it would be possible to load only contextual strings, not with current 
lang files, but possible later with optionally in db saved strings with 
context information

and i dont know if it is a good practice to use constants for strings

-- 
sebastian