Hello all Whereas I fully understand the security implications of PHP's old GET, POST and COOKIE variables and welcome with open arms the development team's decision to depreciate this facet of PHP, I am a little uncertain exactly why they have come up with the solution that appears in the version 4.1.0.
If you have not yet heard of the new input mechanism, this is taken from the official announcement: -- To help users build PHP applications with register_globals being off, we've added several new special variables that can be used instead of the old global variables. There are 7 new special arrays: $_GET - contains form variables sent through GET $_POST - contains form variables sent through POST $_COOKIE - contains HTTP cookie variables $_SERVER - contains server variables (e.g., REMOTE_ADDR) $_ENV - contains the environment variables $_REQUEST - a merge of the GET variables, POST variables and Cookie variables. In other words - all the information that is coming from the user, and that from a security point of view, cannot be trusted. $_SESSION - contains HTTP variables registered by the session module -- The arrays $_GET, $_POST, $_COOKIE, $_SERVER contain exactly the same data as the arrays $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS. Try this to see for yourself: <?php echo "<pre>"; print_r ($_GET); print_r ($HTTP_GET_VARS); echo "<hr>"; print_r ($_POST); print_r ($HTTP_POST_VARS); echo "<hr>"; print_r ($_COOKIE); print_r ($HTTP_COOKIE_VARS); echo "<hr>"; print_r ($_SERVER); print_r ($HTTP_SERVER_VARS); echo "</pre>"; ?> Would it not have made more sense to depreciate the old variable input mechanism and suggest that the HTTP_*_VARS be used instead? Why introduce a new set of arrays? Additionally, there is the new array $_REQUEST, but from a security perspective, that is exactly the same as the old (4.0.6 and earlier) input method. OK, according to the documentation, there is no need to use the 'global' keyword when accessing the new arrays in a function, but I do not really consider that to be much of an advantage. Also from the official announcement: "Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names still work, but we encourage users to switch to the new shorter, and auto-global versions." May I ask why? What is the problem with the 'traditional' $HTTP_*_VARS arrays? Are these arrays going to be depreciated in the next version too? Previously, it was generally considered good practice to use the $HTTP_*_VARS array instead of the default method. Indeed, there have been several articles concerning the insecurities with PHP's default method of passing variables between pages. (As a result my PHP apps are built uniquely with the 'secure' variable passing method.) I would be _VERY_ interested in hearing your views on this new feature. Very best regards Stefen _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
