|
|
Posted by Joe Krahn on 07/02/05 21:35
Richard Lynch wrote:
> On Thu, June 30, 2005 8:47 pm, Joe Krahn said:
>
>>PHP imports GET and POST data to array elements by senselessly
>>converting periods and spaces to underscore. The intent is to make
>>strings variable-name compatible for conversion directly into global
>>variables via import_request_variables or register_globals.
>
>
> Honestly?...
>
> Why in the world would you have variable names or even array keys with
> such weird keys anyway, other than the imagemaps, of course?
>
> [shrug]
I was trying to create a form whose value names would match key names
from a database. To avoid conflict, I decided to prefix the other form
values with a period, and was surprised that it didn't work. The easy
fix was to use another 'special character', but PHP documentation did
not make it clear which characters are 'special', so I tested all 256. I
was even more surprised that a period is special, but control characters
are not.
>
>
>>String-to-variable name mangling should only occur when being converted
>>to variable names, but should be left as is when accessed as array
>>elements. The current implementation is particularly bad because it
>>mangles only periods and spaces, but leaves alone other special/unusual
>>characters. Furthermore, the direct conversion into global name space is
>>discouraged for security reasons.
>>
>>A feature-request was made related to this, but it was marked as "Won't
>>Fix", primarily due to compatibility concerns. However, I think it's a
>>poor design, and there must be some compatible way to move beyond this
>>misfeature.
>
>
> You'd break an awful lot of backwards-compatibility, for anybody actually
> relying on it...
>
> The biggest one being for INPUT TYPE="IMAGE" and image map ,x and ,y
> variables.
>
> If it weren't for those, I'd day go ahead and change it. There probably
> aren't THAT many users affected by anything else.
>
> It would be nice if the original design had only mangled the variable
> names and not the array keys, but changing it now...
>
> Just too many applications are gonna get broken big-time.
....
> I'm not unsympathic to your plight, and you're absolutely right it would
> have been a better Design had somebody thought to do it that way, oh, 10
> years ago...
Well, I I think PHP will be around for a long time, so we're still in
the early days of PHP.
How's this for a trvial backwards-compatible fix -- for array keys,
populate both mangled and unmangled keys.
> HEY!
> Just noticed your email address...
>
> Can you turn off that stupid auto-responder thingie from rr.com that keeps
> spamming the list about viruses it deleted? Thanks. [I think it's rr.com,
> right?...]
It's the admin people... I have no control. They probably think it's
safer to let list people know of a virus than to avoid the extra spam.
Well, I'll send them an email anyhow.
Joe Krahn
Navigation:
[Reply to this message]
|