Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61965 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19211 invoked from network); 2 Aug 2012 13:56:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2012 13:56:58 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.220.170 mail-vc0-f170.google.com Received: from [209.85.220.170] ([209.85.220.170:36253] helo=mail-vc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2A/95-21438-8278A105 for ; Thu, 02 Aug 2012 09:56:56 -0400 Received: by vcbgb30 with SMTP id gb30so9294724vcb.29 for ; Thu, 02 Aug 2012 06:56:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3RFz0bvMoMiDqo9WGd7xrSVgckFUeGp3WIKcfOr9+dg=; b=q8ZJGRCLxmZYbHEheRBJME7K7WWV/2dShU70q1IRQ+7RDfRhP1yZ+zjjUcPAdIwq/x bb6r+b2dA87vBzX48MmCo2GgnmT1/dje9LaqjEA9JGOJGdeSiaq3VwiKiFS/qKKYMqSY rYtER1tsw/7W9pRoS+m89xvq2LkbHNclI2mUpXEfXXK2iRg8p2qCmtHPXbYsoGOhprpm uBU2oM+QxQKQoLl2/x9TvfwvTAdmLwUetJJyhbY5vOX4jWnVhFGvtegv63dhmwoccfNy U6iLkQlpLhb0UZEyMeYvhTOyOOmU+iRTOaAuM67dk/w3JSm74z7JzMUBB6pWVK5ZOpB3 ooXA== MIME-Version: 1.0 Received: by 10.52.100.4 with SMTP id eu4mr17507296vdb.66.1343915813079; Thu, 02 Aug 2012 06:56:53 -0700 (PDT) Received: by 10.58.1.225 with HTTP; Thu, 2 Aug 2012 06:56:52 -0700 (PDT) In-Reply-To: <501A73B8.3030009@richgray.com> References: <501A69B4.4040401@lsces.co.uk> <501A73B8.3030009@richgray.com> Date: Thu, 2 Aug 2012 15:56:52 +0200 Message-ID: To: rich@richgray.com Cc: Lester Caine , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=20cf3071c710a588c604c648c830 Subject: Re: [PHP-DEV] register_globals work arounds From: tyra3l@gmail.com (Ferenc Kovacs) --20cf3071c710a588c604c648c830 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, Aug 2, 2012 at 2:34 PM, rich gray wrote: > > On 02/08/2012 13:51, Lester Caine wrote: > >> OK >> >> No discussions on why register_globals has been removed we all understan= d >> why and now have to live with that ... I'm not winging here! >> >> The question is "Does anybody have an 'elegant' fix to quickly update a >> legacy site that relies on globals to pass variables between page views?= " >> My original quick thought was simply to remap these variables as >> $_SESSION['var'] so as not to get too deeply into the code base. I've us= ed >> that in a few quick fixes, but I'm not sure that it is acceptable? I hav= e >> been passing the variables via $_REQUEST but that obviously needs a lot >> more work in the html generated, so the session approach would seem bett= er? >> But needs to observe the European rules on use of cookies :( >> >> I'm thinking that what is needed is a sort of PEAR package that would >> simply be added to every page and be provided with a list of variables t= o >> manage, so all we need to do is scan the site for variables and establis= h >> which need to be remembered. I've got all sorts of stuff from google/bin= g >> searches, but I'm obviously not yet asking the right question ;) Has >> anybody already been down that track? >> >> IMO - this should be posted on PHP general not internals -- have you > tried extract() ? > http://fr2.php.net/extract > > Rich > unconditionally extracting variables from user-controller arrays into the current/global scope was really a bad decision, if you don't know why, pls. check the documentation ( http://php.net/manual/en/security.globals.php ) one could use extract() to simulate the behavior of register_globals, but with that you would be vulnerable to the same attack vectors, so we shouldn't support that imo. for a long term fix, one has to read through all of the codebase, discover the implicit references of the global variables (this is one of the many problems with register_globals) and replace them with explicit references. so in this example: