On Thu, Aug 2, 2012 at 2:34 PM, rich gray <[email protected]> wrote: > > On 02/08/2012 13:51, Lester Caine wrote: > >> OK >> >> No discussions on why register_globals has been removed we all understand >> why and now have to live with that ... I'm not winging here! >> >> The question is "Does anybody have an 'elegant' fix to quickly update a >> legacy site that relies on globals to pass variables between page views?" >> My original quick thought was simply to remap these variables as >> $_SESSION['var'] so as not to get too deeply into the code base. I've used >> that in a few quick fixes, but I'm not sure that it is acceptable? I have >> been passing the variables via $_REQUEST but that obviously needs a lot >> more work in the html generated, so the session approach would seem better? >> But needs to observe the European rules on use of cookies :( >> >> I'm thinking that what is needed is a sort of PEAR package that would >> simply be added to every page and be provided with a list of variables to >> manage, so all we need to do is scan the site for variables and establish >> which need to be remembered. I've got all sorts of stuff from google/bing >> searches, but I'm obviously not yet asking the right question ;) Has >> anybody already been down that track? >> >> IMO - this should be posted on PHP general not internals -- have you > tried extract() ? > http://fr2.php.net/extract > > Rich >
unconditionally extracting variables from user-controller arrays into the current/global scope was really a bad decision, if you don't know why, pls. check the documentation ( http://php.net/manual/en/security.globals.php ) one could use extract() to simulate the behavior of register_globals, but with that you would be vulnerable to the same attack vectors, so we shouldn't support that imo. for a long term fix, one has to read through all of the codebase, discover the implicit references of the global variables (this is one of the many problems with register_globals) and replace them with explicit references. so in this example: <?php include './bootstrap.php'; if($admin){ } else{ } one has to discover where does the $admin variable come from, and replace it with $_SESSION['admin'] for example it is a painful process and can't really be automated. :( -- Ferenc Kovács @Tyr43l - http://tyrael.hu
