ID: 16155 Comment by: cly109 at 126 dot com Reported By: rlm at pricegrabber dot com Status: Open Bug Type: Feature/Change Request Operating System: all PHP Version: 4CVS New Comment:
The price of Buy<a href="http://www.mytopchi.com">chi hair straightener</a> for the two new races is as the same as the original races. Previous Comments: ------------------------------------------------------------------------ [2002-10-07 12:38:20] phi...@php.net feature request-> php options bug ------------------------------------------------------------------------ [2002-07-10 20:08:46] phi...@php.net This is a feature request as it's documented and expected bahavior. Your points are valid and shared by many. It's a matter of sitting down, thinking it through, and coming up with a nice BC friendly solution. In speaking with Zeev, he tentively suggested the following: (a) Decouple variables_order from the $_* / $HTTP_*_VARS completely. (b) Make it possible to prevent $_ENV and $_SERVER from being populated. Like env_autoglobal = on and server_autoglobal = on. (c) It shouldn't be possible to prevent $_GET, $_POST, $_COOKIE, and $_FILES from being populated. This falls in line with your suggestions. The current variables_order manual entry is vague on this particular matter, yes, but it's there, and it's much clearer in the other aforementioned entries. With variables_order = GPCS and register_globals = off, the global namespace will not be polluted. Not sure what you mean there as $_GET['id'] will exist, $id will not. ------------------------------------------------------------------------ [2002-07-10 19:02:52] rlm at pricegrabber dot com Oops. That should be track_vars On That's all. What this implies is that if track_vars is on, variables_order shouldn't prohibit any HTTP_*_VARS variable from being set (i.e., parsing always occurs). The only utility that variables_order gives you is the ability to say with some certainty where a particular global might have originated given overlapping names in two or more sources. That is, if I have a foo in my cookies, a url that looks like http://www.blorg.com/blech.php?foo=bar, and a POST var called foo on the same page, AND if variables_order is set to "CGP", I know for sure that the global $foo came from the POST if there was one, then from the Get (URL), then from the cookies. And that's it! ------------------------------------------------------------------------ [2002-07-10 18:57:33] rlm at pricegrabber dot com No, it won't, because that will also add the variables to the global namespace. This is not a feature request -- it's *making the system work as advertised*. There already is -- or should be, if the writers of the documentation were correct -- a way to disable global variable imports, which ought to be the configuration lines register_globals = Off variables_order = "" That is, - register_globals should control the registration of globals, and - variables_order should control the source(s) of and order of global variable parsing. Just like it says in the documentation: "variables_order string Set the order of the EGPCS (Environment, GET, POST, Cookie, Server) variable parsing. The default setting of this directive is "EGPCS". Setting this to "GP", for example, will cause PHP to completely ignore environment variables, cookies and server variables, and to overwrite any GET method variables with POST-method variables of the same name." Notice how the above makes NO mention of whether track_vars is set -- but that doesn't matter, because track_vars IS ALWAYS SET ON! That implies that variable tracking in HTTP_*_VARS should ALWAYS happen. ALWAYS. The tools to do this already exists. This is not a feature but a bug -- the extant documentation describes a rationally behaving environment, but PHP no longer conforms to it. ------------------------------------------------------------------------ [2002-07-10 18:21:53] phi...@php.net Just set the PHP predefined variables you want in the variables_order directive. Like, GPCS or EGPCS. And turn register_globals off. This will do what you want. I'm turning this into a feature request and changing the summary. See Rasmus' post/thread for details on this request. Whoever decided that variables_order should be 'es' during your install should be informed on the matter too. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/16155 -- Edit this bug report at http://bugs.php.net/?id=16155&edit=1