#1 path_persist overrides GET values

open
Sandy Smith
None
7
2003-03-11
2003-02-13
Sandy Smith
No

The path_persist class, as implemented, will override
GET values coming to a page.

This can happen, for example, if you send a newsletter
off to a Perl script that sends the newsletter via a
socket and then returns to a result page. (we wouldn't
know of any applications doing that, now, would we??)

Since the path_persist stuff can't be passed to the
Perl script, the GET values are overriden due to the
logic in the initialize() method (I think) which seems
to ressurect and force all the vars to be the old ones
if the persist stuff hasn't been passed.

Discussion

  • Hans Lellelid
    Hans Lellelid
    2003-02-20

    Logged In: YES
    user_id=568541

    Hi :-) Right, that's correct. It's looking for presence of 'persist' var in
    the request. It might make sense to simply have the perl scrip pass
    back an empty persist var in the GET string (or perhaps adding it to
    the $ref passed to the perl script would work just as well).

    Path_persist is kinda cool, but also a headache when it comes to
    debugging pages. I would think that removing it from the admin &
    dbasis tools would make sense. (Especially the admin area, where
    persistance is not a high priority, i don't think.)

     
  • Nyk Cowham
    Nyk Cowham
    2003-03-11

    • assigned_to: nobody --> sandys1
     
  • Sandy Smith
    Sandy Smith
    2003-05-11

    Logged In: YES
    user_id=688456

    Had a brainwave related to this bug: the problem isn't that
    it is persisting even when not explicitly passed. The
    problem is that it sets global variables for every var
    passed by the form.

    Partially this is a problem of using register_globals, but
    mainly I think this is a shortcut that has come back to bite
    us. It should be used like it is in Context's list.php
    script as of v. 0.0.4: check for the passed value and, only
    if it is not present, set the value of that var to the
    version stored in the $persist object. However this
    functionality should be clobbered by the use of the global
    keyword in the _reload_vars() private function in the
    path_persist class--unless the sort vars are explicitly
    being excluded from the persist form var, or set using load_tab.

    Using $_REQUEST will eliminate this problem in the short term.

    Long term DBasis and Context (and the input class?) must be
    cleansed of reliance on global vars set by path_persist. All
    persistance must be handled explicitly in code. This will
    also ease portability of Syntax.