On 02/08/2012 15:56, Ferenc Kovacs wrote:
On Thu, Aug 2, 2012 at 2:34 PM, rich gray <[email protected]
<mailto:[email protected]>> wrote:
On 02/08/2012 13:51, Lester Caine wrote:
OK
IMO - this should be posted on PHP general not internals -- have
you tried extract() ?
http://fr2.php.net/extract
Rich
unconditionally extracting variables from user-controller arrays into
the current/global scope was really a bad decision, if you don't know
why, pls. check the documentation (
http://php.net/manual/en/security.globals.php )
one could use extract() to simulate the behavior of register_globals,
but with that you would be vulnerable to the same attack vectors, so
we shouldn't support that imo.
for a long term fix, one has to read through all of the codebase,
discover the implicit references of the global variables (this is one
of the many problems with register_globals) and replace them with
explicit references.
so in this example:
<?php
include './bootstrap.php';
if($admin){
}
else{
}
one has to discover where does the $admin variable come from, and
replace it with $_SESSION['admin'] for example
it is a painful process and can't really be automated. :(
I agree using extract() is bad as was register_globals but (as I read
his original post) he wanted a solution to simulate register_globals = 1
and I gave it to him - still not sure why this is being discussed on
internals but hey...
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
