ID: 15108
Updated by: philip
Reported By: [EMAIL PROTECTED]
Old Status: Bogus
Status: Feedback
Bug Type: Feature/Change Request
Operating System: n/a
Old PHP Version: 4.1.1
PHP Version: 4.2.0
New Comment:

After some searching, came across an important thread that my brain
never saw.  The proposal on the issue of register_globals and "the big
change":

  http://marc.theaimsgroup.com/?l=php-dev&m=99638397319055

Which includes some great information.  Including import_globals(),
which in short, my concern is solved by: import_globals('S').  This
next thread (very long) is very related too, which existed before the
above proposal:

  http://marc.theaimsgroup.com/?l=php-dev&m=99600275103594

It's all sounds good.  

But :)  Throughout the history of the manual, it's been *implied* that
predefined server variables are registered globally.  This will
obviously change (see #14472) but point is, this is a potential
problem.  Is this worth doing anything else about?  Like, defaulting
PHP with 'S' (or ES) for a release or two?  Or, would that just add
unneeded confusion.



Previous Comments:
------------------------------------------------------------------------

[2002-01-18 16:52:14] [EMAIL PROTECTED]

> But most importantly, this will be useful.

no it won't, same security consideration as with
the other global registrations



------------------------------------------------------------------------

[2002-01-18 16:14:25] [EMAIL PROTECTED]

In short, when register_globals = off, server variables would/should
continue to register globally.  Variables such as:

  $PHP_SELF, $DOCUMENT_ROOT, $REMOTE_ADDR, etc.

As currently they do not.  And on a sidenote, the current docs imply
that server variables always exist, regardless of setting.  Some
possible options:

a) Create a new config setting, such as register_server_globals or
register_predefined_globals
b) Make register_globals allow for individual EGPCS settings (default
to S)
c) Make server variables always exist, like track_vars do now.
d) ...

This will help ease the register_globals = off transition as well as
cause a lot less "4.2.0 BROKE PHP!!!" emails.  But most importantly,
this will be useful.

------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=15108&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to