AG>>>Seems like a bad excuse. Being able to destroy a superglobal array like AG>>>that is clearly a bug that should be fixed.
IMO there should be no possibility to destroy GLOBALS with ?GLOBALS=foo,
but there should be possibility to write GLOBALS with ?GLOBALS[foo]=bar -
why not, if we allow accessing globals anyway? I didn't check how hard it should be to separate these - if it's hard then restricting access to GLOBALS would be good.
Yup, I agree. GLOBALS[foo]=bar is perfectly fine since that doesn't destroy the array and prevent a $foo global locally defined from overriding it. The problem with the current situation is code like this:
<?php
$password_checked = true;
...
if($GLOBALS['password_checked']) do_something;
?>This application can be hacked by simply sending it a ?GLOBALS=foo in the URL.
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
