[Phpmyadmin-devel] Let's break master?
Marc Delisle
marc at infomarc.info
Wed Feb 29 12:51:53 CET 2012
Le 2012-02-27 15:45, Michal Čihař a écrit :
> Hi
>
> Dne Tue, 21 Feb 2012 08:18:45 -0500
> Marc Delisle <marc at infomarc.info> napsal(a):
>
>> When Michal talked about register globals, he meant that in
>> grab_globals.lib.php, we take some variables from superglobals (except
>> some that are in a blacklist) and make them globals, so that the other
>> scripts can work with them.
>
> Yes, basically this was introduced as short term hack before we get rid
> of using globals. However it stayed longer than everyone did expect.
>
>> In grab_globals.lib.php, we could output to a trace file the names of
>> the variables that are globalized, then verify in the code where these
>> global variables are used.
>
> In pretty much everything we use $db/$table, so these would be obvious.
>
>>>> Also, I suggest to get rid of $_REQUEST, because the origin of its
>>>> contents is unclear. Ideally, at every place where we refer to
>>>> $_REQUEST, a comment should explain the possible origin of the contents.
>>>
>>> What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST?
>>> I don't see another way of getting the values of url variables.
>>
>> Yes; it could be $_COOKIE also, see
>> http://www.php.net/manual/en/reserved.variables.request.php.
>
> I'm not 100% confident about need to differentiate between GET/POST,
> however cookies should be surely treated differently (what I believe is
> already the case).
I have removed some lines from grab_globals.lib.php. I am currently
testing the impact of removing the globalization of $_GET on
server_privileges.php.
--
Marc Delisle
http://infomarc.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20120229/9ee81eda/attachment.sig>
More information about the Developers
mailing list