On Mon, Nov 7, 2011 at 12:39 PM, Wade Preston Shearer <[email protected]> wrote: > What are the groups thoughts on use of the $GLOBALS superglobal and using the > global command to pull variables into scope? Are there times when using these > are considered good practice or would good architecture always provide an > alternate solution (such as passing the variable into the function)?
Blindly importing any of the $GLOBALS into scope can do Bad Things. Consider if you have a $host in your DB connection string, and someone puts &host=TheirServerIP into the URL. Depending on the order you do things, you could potentially import that into your local scope, clobbering your own $host, and try to connect to their server with your authentication data. Now they have your username and password. If you import variables individually, selectively, and always assume that they're going to be messed with, you'll probably be fine security-wise. -Dan _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
