Re: register_globals work arounds
On Thu, Aug 2, 2012 at 2:34 PM, rich gray <[email protected]> wrote:
>
> On 02/08/2012 13:51, Lester Caine wrote:
>
>> OK
>>
>> No discussions on why register_globals has been removed we all understand
>> why and now have to live with that ... I'm not winging here!
>>
>> The question is "Does anybody have an 'elegant' fix to quickly update a
>> legacy site that relies on globals to pass variables between page views?"
>> My original quick thought was simply to remap these variables as
>> $_SESSION['var'] so as not to get too deeply into the code base. I've used
>> that in a few quick fixes, but I'm not sure that it is acceptable? I have
>> been passing the variables via $_REQUEST but that obviously needs a lot
>> more work in the html generated, so the session approach would seem better?
>> But needs to observe the European rules on use of cookies :(
>>
>> I'm thinking that what is needed is a sort of PEAR package that would
>> simply be added to every page and be provided with a list of variables to
>> manage, so all we need to do is scan the site for variables and establish
>> which need to be remembered. I've got all sorts of stuff from google/bing
>> searches, but I'm obviously not yet asking the right question ;) Has
>> anybody already been down that track?
>>
>> IMO - this should be posted on PHP general not internals -- have you
> tried extract() ?
> http://fr2.php.net/extract
>
> Rich
>
unconditionally extracting variables from user-controller arrays into the
current/global scope was really a bad decision, if you don't know why, pls.
check the documentation ( http://php.net/manual/en/security.globals.php
)
one could use extract() to simulate the behavior of register_globals, but
with that you would be vulnerable to the same attack vectors, so we
shouldn't support that imo.
for a long term fix, one has to read through all of the codebase, discover
the implicit references of the global variables (this is one of the many
problems with register_globals) and replace them with explicit references.
so in this example:
<?php
include './bootstrap.php';
if($admin){
}
else{
}
one has to discover where does the $admin variable come from, and replace
it with $_SESSION['admin'] for example
it is a painful process and can't really be automated. :(
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Thread (8 messages)