[Pmwiki-users] Safer .php-files

Thomas -Balu- Walter list+pmwiki-users
Thu Feb 26 10:19:20 CST 2004


On Thu, Feb 26, 2004 at 09:57:05AM -0700, Patrick R. Michaud wrote:
> I agree with the idea of using defined constants over variables.  
> However, it should also be noted that PmWiki actually protects against
> register_globals by explicitly unsetting any such globals that might
> have been set.

Nice. Didn't realize that yet - even if it is easy to see in the code
:). Anyway using defines still is more secure, since $_REQUEST might not
catch all variables - e.g. you are missing $_ENV, $_SERVER and $_FILES
(that can not be used to exploit something, could they?).

Perhaps one could also configure PHP to not put $_POST into $_REQUEST in
a future version or it will be broken somehow in a version.

Of course everything is theoretical, but the variable handling in PHP
changed so often[1] by now that I'd expect everything. 

     Balu

[1] register_globals, superglobals, my worst enemy: magic_quotes_gpc[2], ...



More information about the pmwiki-users mailing list