Justin,
Thanks for the response.
The applications vary from site to site. Many of them use include files,
some of them don't. One thing that is nice is any apps that use cookies or
sessions go through the _COOKIE or _SESSION arrays already.
I did think of something that could be very useful, but I'm not sure if it's
just as bad as having register_gloabls on or not... but basically, something
like this:
foreach($_POST as $k=>$v) {
$$k = $v;
}
Does that not defeat the purpose, or is it just a really good idea?
Thanks!
Thom Porter
----- Original Message -----
From: "Justin French" <[EMAIL PROTECTED]>
To: "Thomas Porter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, September 24, 2002 6:23 PM
Subject: Re: [PHP] script to check for register_gloabs=off compatibility
> I'm not aware of anything like that, apart from PHP itself :)
>
> Turn your error reporting to the strictest setting, and go through your
> applications, and it should complain whenever is has to echo/use a
undefined
> variable.
>
> Although that sounds a little daunting with 8000 pages... are you using
lots
> of include files (for all files which are in a certain section)? if so,
it
> quite possible that you only have to modify the header include to keep
> things up to date on many pages.
>
> If you do find such a script, I'd be keen to hear about it. Essentially,
> you need to munch through each of your scripts WITH the include/require's
> inline, looking for an undefined variable.
>
> Then for each of those undefined variables, figure out if the were
supposed
> to be from GET, POST, FILES, COOKIE or SESSION, and put a few lines at the
> top of the file:
>
> $myvar = $_GET['myvar'];
> $myvar2 = $_POST['myvar2'];
>
>
> It's also probably a lesson in documentation... when I first started in
PHP
> I was paranoid about everything, and spent AGES on documentation and
> comments at the top of files. But I was really thankfull I did, because it
> saved me HOURS later on, because I had everything documented... which vars
> came from post/get/cookies/sessions/etc.
>
>
> Good luck,
>
> Justin
>
>
> on 25/09/02 4:00 AM, Thomas Porter ([EMAIL PROTECTED]) wrote:
>
> > I currently maintain about 100 sites that use PHP. Many of them were
> > programmed pre 4.2, and are not compatible with the register_globals=off
> > setting. Since we use virtual hosts in apache I have been able to
modify
> > that one ini setting for the sites that need it, but now my job is to
modify
> > all of these scripts to be compatible with the register_globals=off
setting
> > so they will be more secured. I'm wondering if anyone out there has
written
> > a script that can look at the PHP scripts and see if they are compatible
or
> > not. I'm sure this would be no easy task, but it would be most useful
at
> > the same time. I've done a find for all of the PHP scripts on our
server
> > and am confronted with over 8,000 scripts that need to be looked at, and
> > that's just files with the .php extension.... we've got plenty of .inc's
and
> > other various extensions (including a few sites that parse .html as PHP)
> > that would need to be checked as well.
> >
> > Anybody got any ideas?
> >
> >
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
