ID: 21129 Updated by: [EMAIL PROTECTED] Reported By: hugo at gewis dot nl -Status: Open +Status: Closed Bug Type: Feature/Change Request Operating System: any PHP Version: 4.2.3 New Comment:
This is fixed in PHP5 CVS. Previous Comments: ------------------------------------------------------------------------ [2002-12-21 05:51:55] hugo at gewis dot nl IMHO it would be nice to have a configuration option that ensures that only $_POST, $_GET, $_SERVER, $_ENV etc. are set, and that $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_SERVER_VARS, $HTTP_ENV_VARS etc. are not defined. Why? Obviously to remove the overhead of having a duplicate version of each variable. Furthermore, this can assist in cleaner, more secure code (in my humble opinion). For example:I just ran into a situation where a login was checked. The submitted password was removed from $_POST. It was, however, still available from $HTTP_POST_VARS. (Of course, this last issue could also be fixed by making one a reference to the other (as suggested in bug 15180).) I think the phrase 'avoid duplication of volatile information' applies here. Hugo ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=21129&edit=1
