Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61966 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26972 invoked from network); 2 Aug 2012 15:17:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Aug 2012 15:17:56 -0000 Authentication-Results: pb1.pair.com smtp.mail=rich@richgray.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rich@richgray.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain richgray.com from 209.85.212.176 cause and error) X-PHP-List-Original-Sender: rich@richgray.com X-Host-Fingerprint: 209.85.212.176 mail-wi0-f176.google.com Received: from [209.85.212.176] ([209.85.212.176:37724] helo=mail-wi0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D9/C6-21438-12A9A105 for ; Thu, 02 Aug 2012 11:17:54 -0400 Received: by wibhn17 with SMTP id hn17so4304188wib.11 for ; Thu, 02 Aug 2012 08:17:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=ng3oSpzIW0FyIup2iJDgfQDNQp7IElGNAmtZ6QD15IA=; b=M136KKQvYbjGDvvp9JJ6RawBf1hshKKKu1Xr4udqvYVxWhiUpIIM8JRAPrdyTAH0+j lvxhF1iPok8Znpe3oGmilVbnVuf6siHd3j2YA5YVid0/fF/ZRrAfZW8qc2D6XdzlAVB/ tfoIYi3Ht49yRwH9u7Tbi0J5oTtRrsY9lWsQx7DIigrE2Q5W3YL2TvGTdDSw4TjlYWay hdAqvMHVxgm483MOtGOOHm79kpkYxHFL21xaqwg8JXT4rik7V+UvlQ3iSFZeyT7vW4wl NPGNupNcjFHBvNmzNiyvqhF0zijYwXiVPwJeuFtOx8g3joMaPUg2OLktPt3ZPEpLV5wd 6olw== Received: by 10.216.135.217 with SMTP id u67mr11509824wei.115.1343920669662; Thu, 02 Aug 2012 08:17:49 -0700 (PDT) Received: from LeMans.local (125.129.10.93.rev.sfr.net. [93.10.129.125]) by mx.google.com with ESMTPS id o2sm17898887wiz.11.2012.08.02.08.17.47 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Aug 2012 08:17:48 -0700 (PDT) Message-ID: <501A9A1A.5090809@richgray.com> Date: Thu, 02 Aug 2012 17:17:46 +0200 Reply-To: rich@richgray.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Ferenc Kovacs CC: Lester Caine , "internals@lists.php.net" References: <501A69B4.4040401@lsces.co.uk> <501A73B8.3030009@richgray.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQnXCkCmDd4htpIS+C/B+QxUwShzyCdwCVI5hlad59MzzdtRvWVFPRxWi6qE+c6rAhKMKWSs Subject: Re: [PHP-DEV] register_globals work arounds From: rich@richgray.com (rich gray) On 02/08/2012 15:56, Ferenc Kovacs wrote: > > > On Thu, Aug 2, 2012 at 2:34 PM, rich gray > wrote: > > > On 02/08/2012 13:51, Lester Caine wrote: > > OK > > > IMO - this should be posted on PHP general not internals -- have > you tried extract() ? > http://fr2.php.net/extract > > Rich > > > unconditionally extracting variables from user-controller arrays into > the current/global scope was really a bad decision, if you don't know > why, pls. check the documentation ( > http://php.net/manual/en/security.globals.php ) > one could use extract() to simulate the behavior of register_globals, > but with that you would be vulnerable to the same attack vectors, so > we shouldn't support that imo. > for a long term fix, one has to read through all of the codebase, > discover the implicit references of the global variables (this is one > of the many problems with register_globals) and replace them with > explicit references. > so in this example: > include './bootstrap.php'; > if($admin){ > > } > else{ > > } > > one has to discover where does the $admin variable come from, and > replace it with $_SESSION['admin'] for example > it is a painful process and can't really be automated. :( > I agree using extract() is bad as was register_globals but (as I read his original post) he wanted a solution to simulate register_globals = 1 and I gave it to him - still not sure why this is being discussed on internals but hey...