[Phpmyadmin-devel] Let's break master?

Michal Čihař michal at cihar.com
Mon Feb 27 21:45:27 CET 2012


Dne Tue, 21 Feb 2012 08:18:45 -0500
Marc Delisle <marc at infomarc.info> napsal(a):

> When Michal talked about register globals, he meant that in
> grab_globals.lib.php, we take some variables from superglobals (except
> some that are in a blacklist) and make them globals, so that the other
> scripts can work with them.

Yes, basically this was introduced as short term hack before we get rid
of using globals. However it stayed longer than everyone did expect.

> In grab_globals.lib.php, we could output to a trace file the names of
> the variables that are globalized, then verify in the code where these
> global variables are used.

In pretty much everything we use $db/$table, so these would be obvious.

> >> Also, I suggest to get rid of $_REQUEST, because the origin of its
> >> contents is unclear. Ideally, at every place where we refer to
> >> $_REQUEST, a comment should explain the possible origin of the contents.
> > 
> > What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST?
> > I don't see another way of getting the values of url variables.
> Yes; it could be $_COOKIE also, see
> http://www.php.net/manual/en/reserved.variables.request.php.

I'm not 100% confident about need to differentiate between GET/POST,
however cookies should be surely treated differently (what I believe is
already the case).

	Michal Čihař | http://cihar.com | http://phpmyadmin.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20120227/0fa6c73d/attachment.sig>

More information about the Developers mailing list