|
|
Posted by Thomas Mlynarczyk on 05/22/07 10:20
Also sprach jmark@fastermail.com:
>>> import_request_variables('gp', 'p_');
>> Why? It's simpler, cleaner and safer to work with $_GET / $_POST
>> directly.
> I may agree with simplicity and cleanliness to some extend but how is
> it safer?
There are general security issues with global variables. With
register_globals on, anyone could create a global variable with any content
in your script. Thus, you would have to be *very* careful and make
absolutely sure all your global variables are properly initialized by your
script. This can be done, of course, but it *is* a potential source for
security leaks. In addition, there is a security hole in some versions of
PHP (both 4 and 5) where it is possible for a hacker to overwrite your whole
$GLOBALS array. Another point: If you import the request variables, you
cannot be sure whether they come from $_GET or $_POST or if they are set at
all.
Of course, if register_globals is off, you are much safer. But what if
someday your script runs in an environment with register_globals on?
Besides, using global variables the way you intend to indicates bad coding
practises. If someday your script should become part of another project
using global variables, name collisions may occur leading to errors which
might be hard to debug.
Greetings,
Thomas
Navigation:
[Reply to this message]
|