Re: Conversion of period and space for $_GET, $_REQUEST,etc. is rather senseless

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:
On Thu, June 30, 2005 8:47 pm, Joe Krahn said:

PHP imports GET and POST data to array elements by senselessly
converting periods and spaces to underscore. The intent is to make
strings variable-name compatible for conversion directly into global
variables via import_request_variables or register_globals.


Honestly?...

Why in the world would you have variable names or even array keys with
such weird keys anyway, other than the imagemaps, of course?

[shrug]
I was trying to create a form whose value names would match key names from a database. To avoid conflict, I decided to prefix the other form values with a period, and was surprised that it didn't work. The easy fix was to use another 'special character', but PHP documentation did not make it clear which characters are 'special', so I tested all 256. I was even more surprised that a period is special, but control characters are not.



String-to-variable name mangling should only occur when being converted
to variable names, but should be left as is when accessed as array
elements. The current implementation is particularly bad because it
mangles only periods and spaces, but leaves alone other special/unusual
characters. Furthermore, the direct conversion into global name space is
discouraged for security reasons.

A feature-request was made related to this, but it was marked as "Won't
Fix", primarily due to compatibility concerns. However, I think it's a
poor design, and there must be some compatible way to move beyond this
misfeature.


You'd break an awful lot of backwards-compatibility, for anybody actually
relying on it...

The biggest one being for INPUT TYPE="IMAGE" and image map ,x and ,y
variables.

If it weren't for those, I'd day go ahead and change it.  There probably
aren't THAT many users affected by anything else.

It would be nice if the original design had only mangled the variable
names and not the array keys, but changing it now...

Just too many applications are gonna get broken big-time.
...
I'm not unsympathic to your plight, and you're absolutely right it would
have been a better Design had somebody thought to do it that way, oh, 10
years ago...
Well, I I think PHP will be around for a long time, so we're still in the early days of PHP.

How's this for a trvial backwards-compatible fix -- for array keys, populate both mangled and unmangled keys.

HEY!
Just noticed your email address...

Can you turn off that stupid auto-responder thingie from rr.com that keeps
spamming the list about viruses it deleted? Thanks. [I think it's rr.com,
right?...]
It's the admin people... I have no control. They probably think it's safer to let list people know of a virus than to avoid the extra spam.

Well, I'll send them an email anyhow.

Joe Krahn

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux