Hi all,
I think I posted about this quite some time ago, but the issue is (as of PHP
5.2.0) still there:
- Request variables that have leading whitespace are trimmed before being
imported into the respective superglobal array.
- Request variables that have trailing whitespace have all whitespace converted
to _ before being imported into the respective superglobal array.
I presume this is still from the good old day of register_globals where men
where men and variables were autoglobal. Having a request variable with a space
wasn't desirable back then ("$ foo - huh?!"), but since r_g is going to go in
PHP6 anyway, wouldn't this be a good moment to change this behavior to what (at
least AFAICT) other languages do?
The impact of this change for actual scripts is probably quite low - you would
have to rely on this for any request variables (i.e. $_GPC keys) to happen in a
register_globals free environment. The upside for this is that it's a central
breaking point for modules like mod_security that take a variable blacklist
approach. Plus, the current behavior is somewhat inconsistent anyway.
Any comments?
--ck
--
http://www.de-punkt.de [ [EMAIL PROTECTED] ] http://www.stormix.de
PHP-Anwendungen sind gefährdet! SQL-Injection, XSS, Session-Angriffe,
CSRF, Commandshells, Response Splitting,... böhmische Dörfer? Dann gleich
"PHP-Sicherheit" direkt beim Verlag vorbestellen! http://www.php-sicherheit.de/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
