From: Michael K. <mi...@ta...> - 2001-05-26 22:59:08
|
<snip> we will require (among other things) that you > use $Request->GetVar instead of assuming register_globals is on. Of course, > if that pisses you off, you don't have to use it... just turn > register_globals on and go about your business. (but don't get pissed off > when someone manages to post php code or javascript into your database > because you weren't watching closely :) > > so, it's best to get all of your incoming user vars from one place, i.e. a > core class: > > $Request->GetVar('foo'); > > that way, users can't post strange things into your environment without your > knowledge, because you have to explicitly request each variable. > > why this and not $HTTP_POST_VARS[foo] ? because it's nice to be able to > build code that will work with a get ?foo=stuff or a post. Ideally, you'd still keep both - so you could POST to foo.com/something/param1/param2 and get the params as GET and your POSTed stuff as POST. But that's not why I write... We've put together something similar to bc, and had to make the same decision awhile ago, and it's something we enforce - no option to turn globals on - actually, I don't care if they're on, no code references anything by globals. This was fine for the core of us using it, and caused consternation when someone new came on board who wasn't use to it. And I remember hating it in ASP a few years ago. foo.com/index.php?bar=cow having $bar=="cow" *automatically* was one of the big selling points of PHP back then. But as we've noticed throughout the years, and Alex points out again, security is a concern with this. And forcing this kind of structure on to an application can only help as it gets bigger. Also, another neat thing we've been able to do easily (not that it couldn't be done with HTTP_POST_VARS, etc) is log request data. In one app, we log all incoming POST data - it helped for debugging, and we just left it in. It helps occasionally troubleshoot problems we have with user errors ("I didn't make that purchase!" - well, the POST data from your IP at that time shows you did, etc.) Overkill for most apps, yes, but imposing these kinds of structures can really be helpful. Wow, maybe ASP had a redeeming quality? ;) MK |