[jira] Commented: (THRIFT-717) Global variables should not be used for configuration of PHP library

Thu, 25 Feb 2010 10:59:32 -0800 

    [ 
https://issues.apache.org/jira/browse/THRIFT-717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838463#action_12838463
 ] 

David Reiss commented on THRIFT-717:
------------------------------------

Well, I can't accept this patch because it doesn't update every use of 
THRIFT_ROOT.  However, I'm not convinced that this would be a good approach 
even if the patch were complete.  I think the security argument is completely 
pointless, since any attacker capable of injecting PHP code into your execution 
would not need to mess with Thrift to take over your server.  The performance 
argument is also not compelling, since the cost of a single global lookup is 
tiny compared to the cost of including a library file (even with APC (or 
HipHop)).  Finally, I think that leaving the value in a global gives users more 
freedom when setting up their environment.  It is easy to determine if it is 
already set and easy to fix after-the-fact if you need to hack around something 
in your sandbox.

> Global variables should not be used for configuration of PHP library
> --------------------------------------------------------------------
>
>                 Key: THRIFT-717
>                 URL: https://issues.apache.org/jira/browse/THRIFT-717
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Library (PHP)
>            Reporter: Nicholas Telford
>            Priority: Minor
>         Attachments: thrift_php_globalsToConstants.diff
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The Thrift PHP library makes gratuitous use of the $GLOBALS array to store 
> basic configuration.
> Globals in PHP are generally bad practice, so I suggest something else: Use 
> constants.
> Being immutable, constants are more secure than globals (that could be 
> overwritten in scripts susceptible to injection attacks); they also perform 
> much better, since the $GLOBALS variable is a hash-table, lookups are 
> comparatively expensive.
> I will attach a patch soon unless anyone has any better ideas.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to