ID: 15108 Updated by: philip Reported By: [EMAIL PROTECTED] Old Status: Bogus Status: Feedback Bug Type: Feature/Change Request Operating System: n/a Old PHP Version: 4.1.1 PHP Version: 4.2.0 New Comment:
After some searching, came across an important thread that my brain never saw. The proposal on the issue of register_globals and "the big change": http://marc.theaimsgroup.com/?l=php-dev&m=99638397319055 Which includes some great information. Including import_globals(), which in short, my concern is solved by: import_globals('S'). This next thread (very long) is very related too, which existed before the above proposal: http://marc.theaimsgroup.com/?l=php-dev&m=99600275103594 It's all sounds good. But :) Throughout the history of the manual, it's been *implied* that predefined server variables are registered globally. This will obviously change (see #14472) but point is, this is a potential problem. Is this worth doing anything else about? Like, defaulting PHP with 'S' (or ES) for a release or two? Or, would that just add unneeded confusion. Previous Comments: ------------------------------------------------------------------------ [2002-01-18 16:52:14] [EMAIL PROTECTED] > But most importantly, this will be useful. no it won't, same security consideration as with the other global registrations ------------------------------------------------------------------------ [2002-01-18 16:14:25] [EMAIL PROTECTED] In short, when register_globals = off, server variables would/should continue to register globally. Variables such as: $PHP_SELF, $DOCUMENT_ROOT, $REMOTE_ADDR, etc. As currently they do not. And on a sidenote, the current docs imply that server variables always exist, regardless of setting. Some possible options: a) Create a new config setting, such as register_server_globals or register_predefined_globals b) Make register_globals allow for individual EGPCS settings (default to S) c) Make server variables always exist, like track_vars do now. d) ... This will help ease the register_globals = off transition as well as cause a lot less "4.2.0 BROKE PHP!!!" emails. But most importantly, this will be useful. ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=15108&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
