Hello all

Whereas I fully understand the security implications of PHP's old GET, POST 
and COOKIE variables and welcome with open arms the development team's 
decision to depreciate this facet of PHP, I am a little uncertain exactly 
why they have come up with the solution that appears in the version 4.1.0.

If you have not yet heard of the new input mechanism, this is taken from the 
official announcement:


To help users build PHP applications with register_globals being off, we've 
added several new special variables that can be used instead of the old 
global variables.  There are 7 new special arrays:

$_GET - contains form variables sent through GET
$_POST - contains form variables sent through POST
$_COOKIE - contains HTTP cookie variables
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
$_ENV - contains the environment variables
$_REQUEST - a merge of the GET variables, POST variables and Cookie 
variables. In other words - all the information that is coming from the 
user, and that from a security point of view, cannot be trusted. $_SESSION - 
contains HTTP variables registered by the session module


The arrays $_GET, $_POST, $_COOKIE, $_SERVER contain exactly the same data 
$HTTP_SERVER_VARS. Try this to see for yourself:


echo "<pre>";

print_r ($_GET);
print_r ($HTTP_GET_VARS);

echo "<hr>";

print_r ($_POST);
print_r ($HTTP_POST_VARS);

echo "<hr>";

print_r ($_COOKIE);
print_r ($HTTP_COOKIE_VARS);

echo "<hr>";

print_r ($_SERVER);
print_r ($HTTP_SERVER_VARS);

echo "</pre>";


Would it not have made more sense to depreciate the old variable input 
mechanism and suggest that the HTTP_*_VARS be used instead?

Why introduce a new set of arrays?

Additionally, there is the new array $_REQUEST, but from a security 
perspective, that is exactly the same as the old (4.0.6 and earlier) input 

OK, according to the documentation, there is no need to use the 'global' 
keyword when accessing the new arrays in a function, but I do not really 
consider that to be much of an advantage.

Also from the official announcement:

"Note:  Some of these arrays had old names, e.g. $HTTP_GET_VARS.  These 
names still work, but we encourage users to switch to the new shorter, and 
auto-global versions."

May I ask why? What is the problem with the 'traditional' $HTTP_*_VARS 
arrays? Are these arrays going to be depreciated in the next version too?

Previously, it was generally considered good practice to use the 
$HTTP_*_VARS array instead of the default method. Indeed, there have been 
several articles concerning the insecurities with PHP's default method of 
passing variables between pages. (As a result my PHP apps are built uniquely 
with the 'secure' variable passing method.)

I would be _VERY_ interested in hearing your views on this new feature.

Very best regards


Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to