On Thu, Aug 2, 2012 at 2:34 PM, rich gray <
[email protected] <
mailto:[email protected]>> wrote:
On 02/08/2012 13:51, Lester Caine wrote:
OK
IMO - this should be posted on PHP general not internals -- have
you tried extract() ?
http://fr2.php.net/extract
Rich
unconditionally extracting variables from user-controller arrays into the current/global scope was really a bad decision, if you don't know why, pls. check the documentation (
http://php.net/manual/en/security.globals.php )
one could use extract() to simulate the behavior of register_globals, but with that you would be vulnerable to the same attack vectors, so we shouldn't support that imo.
for a long term fix, one has to read through all of the codebase, discover the implicit references of the global variables (this is one of the many problems with register_globals) and replace them with explicit references.
so in this example:
<?php
include './bootstrap.php';
if($admin){
}
else{
}
one has to discover where does the $admin variable come from, and replace it with $_SESSION['admin'] for example
it is a painful process and can't really be automated. :(