#9 PHPLib fails with register_globals off

closed
None
1
2002-04-25
2001-08-27
Bob Gorman
No

PHPLib should work when register_globals is off.

See bug #446455. (Also submitted accidently as patch
#455851, oops).

Many PHPLib scripts depend on PHP automatically
registering variables into the global name space.

If we set register_globals to off via .htaccess (or
another method) for security reasons then portions of
PHPLib fail to function properly.

In bug #446455 I document a short-term work around.
It would be better if the PHPLib scripts would work
properly regardless to the setting of
register_globals.

In specific PHPLib should use the HTTP_*_VARS to
gather the values of variables passed from the client.

For example:

In function auth_validatelogin() we see:

global $username, $password;

This should be re-coded as:

global $HTTP_POST_VARS;
$username = $HTTP_POST_VARS["username"];
$password = $HTTP_POST_VARS["password"];

Or even better is:

$username = isset($HTTP_POST_VARS
["username"]) ? $HTTP_POST_VARS["username"] : "";
$password = isset($HTTP_POST_VARS
["password"]) ? $HTTP_POST_VARS["password"] : "";

Use of isset() is added to prevent errors when using
E_NOTICE.

The script session.inc is coded pretty well. Others
are not.

I think this is important for the long-term viablility
of PHPLib.

Discussion

  • Bob Gorman
    Bob Gorman
    2001-08-27

    • priority: 5 --> 7
     
  • Richard Archer
    Richard Archer
    2002-04-25

    • priority: 7 --> 1
    • assigned_to: nobody --> richardarcher
    • status: open --> closed
     
  • Richard Archer
    Richard Archer
    2002-04-25

    Logged In: YES
    user_id=279311

    This is fixed in CVS.