ID: 16155
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
-Bug Type: Feature/Change Request
+Bug Type: PHP options/info functions
Operating System: all
PHP Version: CVS
New Comment:
feature request-> php options bug
Previous Comments:
------------------------------------------------------------------------
[2002-07-10 20:13:50] [EMAIL PROTECTED]
Yes, these mods definitely sound good.
------------------------------------------------------------------------
[2002-07-10 20:08:46] [EMAIL PROTECTED]
This is a feature request as it's documented and expected bahavior.
Your points are valid and shared by many. It's a matter of sitting
down, thinking it through, and coming up with a nice BC friendly
solution.
In speaking with Zeev, he tentively suggested the following:
(a) Decouple variables_order from the $_* / $HTTP_*_VARS
completely.
(b) Make it possible to prevent $_ENV and $_SERVER from
being populated. Like env_autoglobal = on and
server_autoglobal = on.
(c) It shouldn't be possible to prevent $_GET, $_POST,
$_COOKIE, and $_FILES from being populated.
This falls in line with your suggestions. The current variables_order
manual entry is vague on this particular matter, yes, but it's there,
and it's much clearer in the other aforementioned entries.
With variables_order = GPCS and register_globals = off, the global
namespace will not be polluted. Not sure what you mean there as
$_GET['id'] will exist, $id will not.
------------------------------------------------------------------------
[2002-07-10 19:02:52] [EMAIL PROTECTED]
Oops.
That should be
track_vars On
That's all. What this implies is that if track_vars is on,
variables_order shouldn't prohibit any HTTP_*_VARS variable from being
set (i.e., parsing always occurs). The only utility that
variables_order gives you is the ability to say with some certainty
where a particular global might have originated given overlapping names
in two or more sources. That is, if I have a foo in my cookies, a url
that looks like http://www.blorg.com/blech.php?foo=bar, and a POST var
called foo on the same page, AND if variables_order is set to "CGP", I
know for sure that the global $foo came from the POST if there was one,
then from the Get (URL), then from the cookies. And that's it!
------------------------------------------------------------------------
[2002-07-10 18:57:33] [EMAIL PROTECTED]
No, it won't, because that will also add the variables to the global
namespace. This is not a feature request -- it's *making the system
work as advertised*. There already is -- or should be, if the writers
of the documentation were correct -- a way to disable global variable
imports, which ought to be the configuration lines
register_globals = Off
variables_order = ""
That is,
- register_globals should control the registration of globals, and
- variables_order should control the source(s) of and order of
global variable parsing.
Just like it says in the documentation:
"variables_order string
Set the order of the EGPCS (Environment, GET, POST, Cookie, Server)
variable parsing. The default setting of this directive is "EGPCS".
Setting this to "GP", for example, will cause PHP to completely ignore
environment variables, cookies and server variables, and to overwrite
any GET method variables with POST-method variables of the same name."
Notice how the above makes NO mention of whether track_vars is set --
but that doesn't matter, because track_vars IS ALWAYS SET ON! That
implies that variable tracking in HTTP_*_VARS should ALWAYS happen.
ALWAYS.
The tools to do this already exists. This is not a feature but a bug
-- the extant documentation describes a rationally behaving
environment, but PHP no longer conforms to it.
------------------------------------------------------------------------
[2002-07-10 18:21:53] [EMAIL PROTECTED]
Just set the PHP predefined variables you want in the variables_order
directive. Like, GPCS or EGPCS. And turn register_globals off. This
will do what you want.
I'm turning this into a feature request and changing the summary. See
Rasmus' post/thread for details on this request.
Whoever decided that variables_order should be 'es' during your install
should be informed on the matter too.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/16155
--
Edit this bug report at http://bugs.php.net/?id=16155&edit=1
