Re: [binarycloud-dev] Re: Lang

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

<snip>
we will require (among other things) that you
> use $Request->GetVar instead of assuming register_globals is on. Of
course,
> if that pisses you off, you don't have to use it... just turn
> register_globals on and go about your business. (but don't get pissed off
> when someone manages to post php code or javascript into your database
> because you weren't watching closely :)
>
> so, it's best to get all of your incoming user vars from one place, i.e. a
> core class:
>
> $Request->GetVar('foo');
>
> that way, users can't post strange things into your environment without
your
> knowledge, because you have to explicitly request each variable.
>
> why this and not $HTTP_POST_VARS[foo] ? because it's nice to be able to
> build code that will work with a get ?foo=stuff or a post.

Ideally, you'd still keep both - so you could POST to
foo.com/something/param1/param2

and get the params as GET and your POSTed stuff as POST.

But that's not why I write...

We've put together something similar to bc, and had to make the same
decision
awhile ago, and it's something we enforce - no option to turn globals on -
actually, I don't care if they're on, no code references anything by
globals.
This was fine for the core of us using it, and caused consternation when
someone
new came on board who wasn't use to it.  And I remember hating it in ASP a
few years
ago.

foo.com/index.php?bar=cow

having $bar=="cow" *automatically* was one of the big selling points of PHP
back then.
But as we've noticed throughout the years, and Alex points out again,
security
is a concern with this.  And forcing this kind of structure on to an
application
can only help as it gets bigger.  Also, another neat thing we've been able
to do
easily (not that it couldn't be done with HTTP_POST_VARS, etc) is log
request data.
In one app, we log all incoming POST data - it helped for debugging, and we
just left it
in.  It helps occasionally troubleshoot problems we have with user errors
("I didn't
make that purchase!" - well, the POST data from your IP at that time shows
you did, etc.)
Overkill for most apps, yes, but imposing these kinds of structures can
really be
helpful.  Wow, maybe ASP had a redeeming quality?  ;)

MK