on 25/09/02 2:04 PM, Thom Porter ([EMAIL PROTECTED]) wrote:

> The applications vary from site to site.  Many of them use include files,
> some of them don't.  One thing that is nice is any apps that use cookies or
> sessions go through the _COOKIE or _SESSION arrays already.


> I did think of something that could be very useful, but I'm not sure if it's
> just as bad as having register_gloabls on or not... but basically, something
> like this:
> foreach($_POST as $k=>$v) {
> $$k = $v;
> }
> Does that not defeat the purpose, or is it just a really good idea?

Well, doing this, or using extract(), or import_request_variables() is more
like a patch or quick fix rather than solving the problem.  The reason is
that you actually want to ONLY work with vars which you expect or trust.

Having a get var of adminuser=true could let someone evil do serious damage
to a content management system!!!

Since you're already achieving such a quick fix with .htaccess or whatever,
this doesn't really help.

Ultimately, you need to go through each file and determine what GET and POST
variables are expected for each script, and list them at the top of the

$v1 = $_GET['v1'];
$v2 = $_POST['v2'];


In the case of POST, you can easily look at the page preceding it with the
form, and go through the POST variables... GET is a little harder, because
you have to read through the script, or otherwise determine the expected GET

This could be a big job manually if you haven't documented the scripts, or
there may be some way to do it programaticaly, but I haven't seen it yet.

On a page-by-page basis you could do something like this at the top of each

echo '<pre>';
foreach($_POST as $k=>$v)
    echo '$_POST[\''.$k.'\'] = '.$v.'\n';
foreach($_GET as $k=>$v)
    echo '$_POST[\''.$k.'\'] = '.$v.'\n';
echo '</pre>';

Then you could "surf" the site, visit each script, copy the output for each
different instance of the page (there will be different variables set for
different 'state' on some scripts i assume), paste it into the top of the
script, and it should fix the problem... or at least help :)

Untested, experimental code by the way.

It still isn't going to be easy across 8000 scripts.

Perhaps you just need to leave the old apps alone and concentrate on getting
the new stuff right... come back to the old stuff when you have time/budget.

Good luck,


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to