ID: 13645 Updated by: sniper Reported By: [EMAIL PROTECTED] Old Status: Open Status: Analyzed Old Bug Type: *Configuration Issues Bug Type: Documentation problem Operating System: Mandrake Linux 8.0 PHP Version: 4.0.6 New Comment:
This is intended behaviour but you're right about it not being documented. This should be mentioned at: http://www.php.net/manual/en/language.variables.predefined.php Also, the new global variables for 4.1.0 are undocumented: $_GET $_POST $_COOKIE $_SERVER $_ENV $_FILES $_REQUEST and import_request_variables() function is not documented. --Jani p.s. track_vars is enabled always regardless of any settings since 4.0.3 Previous Comments: ------------------------------------------------------------------------ [2001-10-11 18:10:00] [EMAIL PROTECTED] As for the logic of the php.ini texts, I understand variables_order defines the order in which vars are assigned into global space. track_vars should enable ALL HTTP_*_VARS. However, leaving out one of egpcs in variables_order disables the corresponding HTTP_*_VARS! (empty array) Besides the point, that this seems to be not-as-documented, "correct" behaviour would solve a whole lot of security problems: ; only assign "safe" variables to global space, but DO ; assign them -> convenience for safe vars! variables_order = "S" ; access all other by HTTP_*_VARS track_vars = on Please correct me, if I'm wrong. ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=13645&edit=1
