473,721 Members | 1,771 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Idea for PHP Enhancement: register_global s_manual

With all the problems with having register_global s = on, I propose the
following idea:

We define register_global s_manual = on as a new configuration default.

What this does is enable 3 new explicit variable declaration mechanisms
with the same syntax as the existing static and global mechanisms.

They would be httpget, httppost and session, so for example:

httpget $user_id;
httppost $credit_card;
session $really_importa nt_stuff;

Each of these declaration lines would effectively enable
register_global s for one specific variable in one particular method
(GET, POST or session).

Creative suggestions, comments would be welcome.

--
Spam:newsgroup( at)cr*********@ verisign-sux-klj.com
EMail:<01100011 001011100110001 001110101011100 10011010110
110010101000000 011000110111001 001100001011110 10011011100
110000101110010 001011100110001 101101111011011 0100100000>
Jul 17 '05
50 3752
Justin Koivisto wrote:
Then the facility to be sloppy isn't available.
My suggestion removes the sloppy factor - but keeps the functionality.
I used to do everything with register_global s on, and quickly learned
that it's a nightmare to debug when you happen to be using the same
variable name via POST and GET requests.


Which is got around by the concept I suggested.

--
Spam:newsgroup( at)cr*********@ verisign-sux-klj.com
EMail:<01100011 001011100110001 001110101011100 10011010110
110010101000000 011000110111001 001100001011110 10011011100
110000101110010 001011100110001 101101111011011 0100100000>
Jul 17 '05 #11
127.0.0.1:
With all the problems with having register_global s = on, I propose the
following idea:

We define register_global s_manual = on as a new configuration default.

What this does is enable 3 new explicit variable declaration mechanisms
with the same syntax as the existing static and global mechanisms.

They would be httpget, httppost and session, so for example:

httpget $user_id;
httppost $credit_card;
session $really_importa nt_stuff;

Each of these declaration lines would effectively enable
register_global s for one specific variable in one particular method
(GET, POST or session).

Creative suggestions, comments would be welcome.


I can't see what you gain. I'm perfectly happy using $_GET, $_POST etc.
directly. Polluting the global namespace with variables simply isn't a good
idea.

Why do you think it's easier to write
httpget $user_id;
than
$_GET['user_id'];

?

André Næss
Jul 17 '05 #12
André Næss wrote:
I can't see what you gain. I'm perfectly happy using $_GET, $_POST
etc. directly. Polluting the global namespace with variables simply
isn't a good idea.

Why do you think it's easier to write
httpget $user_id;
than
$_GET['user_id'];


It is far easier to write

session $blah;

than to write

$blah = $_SESSION['blah'];
register exit routine;
..
..
..
..
..

exit_routine
$_SESSION['blah'] = $blah
etc

--
Spam:newsgroup( at)cr*********@ verisign-sux-klj.com
EMail:<01100011 001011100110001 001110101011100 10011010110
110010101000000 011000110111001 001100001011110 10011011100
110000101110010 001011100110001 101101111011011 0100100000>
Jul 17 '05 #13

"127.0.0.1" <newsgroup(at)c r*********@veri sign-sux-ijlkl.com> wrote in
message news:0n******** ************@ne ws-server.bigpond. net.au...
Paulus Magnus wrote:
As much inconvenience as register_global s has caused me personally, I
do believe the world is a safer place because of it being changed.


So - any comments on the concept of a modified register_global s ability
?


I couldn't see a benefit from allowing specified variables to be global.
It's very similar to my own bit of code...

$user_id = (isset ($_GET['user_id'])) ? $_GET['user_id'] : "";

....that I've used to kludge code that was written pre-register_global s=off.
You could use the $_REQUEST array if you wanted but I think that's another
sloppy mechanism that should be removed as well.

All my new scripts tend to read/write to the superglobal arrays as I need to
as I prefer to use arrays of variables anyhow. It's almost a way of
categorising them. For example I don't use $host, $database, $username and
$password for MySQL. I use $mysql['host'], $mysql['database'],
$mysql['username'] and $mysql['password']. As long as my code is readable I
don't mind.

$_GET['u'] isn't readable, $_GET['user_id'] is, $user_id is more readable
but it's another variable I have to initialise. Therefore, if I'm using GET
to pass variables I tend to use single letter variable names and then swap
them using a little isset initialisation above to make them more readable.
If I'm passing variables via COOKIE, SESSION or POST I use meaningful names
as the user can't see them and it saves me doing a
quasi-register_global s_manually.

Paulus
Jul 17 '05 #14
"127.0.0.1" <newsgroup(at)c r*********@veri sign-sux-ijlkl.com> wrote in
message news:Xq******** ************@ne ws-server.bigpond. net.au...
Tom Lee wrote:

I think a better approach would be namespace based - ala something
like: httpsession::re ally_important_ stuff;
Then it would be pointless ... if we have to use XXXX<varname>XX XX,
then XXXX might as well be $_SESSION, as httpsession:: ... i'm trying
to come up with a secure version of register_global s...


I don't think the security hole is that large from register_global s. It's
how that posted data is validated before processing it that is the problem.
PHP can help to close this security by turning off register globals, the
other 90% of the job is down to the programmer.
Well - after 7 years of web programming Delphi/IIS, I'm finding PHP
session handling in conjunction with templating a real problem.


It depends on your templating solution. I have no problem with it and find
the use of templating to be a major assistance to my application
development. I don't have to clutter my code with bits of HTML any more and
that makes my algorithm and flow of processing incredibly easy. However, I
do know that many of the template systems out there are a language all to
themselves. I've seen them being used, seen code written with them and
thought I'm not going there. I'm not learning a template pseudo-code, it's
just not necessary.
I agree that there's probably nicer ways to go about it
syntactically, but on the level that it's merely saving a few key
strokes?


It isn't about saving keystrokes - it is about enabling some
functionality.. .


I think anything that translates posted data to processing without making
the developer think is bad. Security is not something you can teach or list
in a 10 step plan as each script has its weak points. If you're manipulating
data based on the input provided by a user, you really need to think "what
if?". Register globals is just a small part of the security issue and you
can move variables to normal pretty variables in one line using the isset()
and ternary operator as I've shown on another post in this thread.

Paulus
Jul 17 '05 #15
127.0.0.1 wrote:
With all the problems with having register_global s = on, I propose the
following idea:

We define register_global s_manual = on as a new configuration
default.
Creative suggestions, comments would be welcome.


Function "import_request _variables()" is not enough for you? :))

--
--- --- --- --- --- --- ---
ja**@croatiabiz .com
Jul 17 '05 #16
With total disregard for any kind of safety measures "127.0.0.1"
<newsgroup(at)c r*********@veri sign-sux-ijlkl.com> leapt forth and
uttered:
Justin Koivisto wrote:
Then the facility to be sloppy isn't available.


My suggestion removes the sloppy factor - but keeps the
functionality.
I used to do everything with register_global s on, and quickly
learned that it's a nightmare to debug when you happen to be
using the same variable name via POST and GET requests.


Which is got around by the concept I suggested.


But what is the POINT of your method when PHP has plenty of non-
register_global s reliant methods already?

You just seem to be trying to come up with a way to reverse-
engineer what was a bad idea in the first place.

--
There is no signature.....
Jul 17 '05 #17
With total disregard for any kind of safety measures "127.0.0.1"
<newsgroup(at)c r*********@veri sign-sux-ijlkl.com> leapt forth and
uttered:
André Næss wrote:
I can't see what you gain. I'm perfectly happy using $_GET,
$_POST etc. directly. Polluting the global namespace with
variables simply isn't a good idea.

Why do you think it's easier to write
httpget $user_id;
than
$_GET['user_id'];


It is far easier to write

session $blah;

than to write

$blah = $_SESSION['blah'];
register exit routine;
.
.
.
.
.

exit_routine
$_SESSION['blah'] = $blah
etc


So don't do $blah = $_SESSION['blah']; then, just use
$_SESSION['blah'] directly.

I cannot understand why you put more importance on code aesthetics
than efficient design.

--
There is no signature.....
Jul 17 '05 #18
Phil Roberts wrote:
But what is the POINT of your method when PHP has plenty of non-
register_global s reliant methods already?


It doesn't have one for SESSION variables yet ....

--
Spam:newsgroup( at)cr*********@ verisign-sux-klj.com
EMail:<01100011 001011100110001 001110101011100 10011010110
110010101000000 011000110111001 001100001011110 10011011100
110000101110010 001011100110001 101101111011011 0100100000>
Jul 17 '05 #19
Phil Roberts wrote:

So don't do $blah = $_SESSION['blah']; then, just use
$_SESSION['blah'] directly.
I can't...

I cannot understand why you put more importance on code aesthetics
than efficient design.


I don't...

--
Spam:newsgroup( at)cr*********@ verisign-sux-klj.com
EMail:<01100011 001011100110001 001110101011100 10011010110
110010101000000 011000110111001 001100001011110 10011011100
110000101110010 001011100110001 101101111011011 0100100000>
Jul 17 '05 #20

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
1793
by: Dalan | last post by:
I have been using a module for printing labels in Access 97, and although it works fine, I would like to add a small enhancement to it. The module allows for setting the number of labels to print and/or to skip; however, the Cancel command button does not function, nor does clicking the X-close. Clicking either one is the same as clicking the OK button. Since the module creates and displays the dialog box, I will need a piece of code to...
104
7173
by: cody | last post by:
What about an enhancement of foreach loops which allows a syntax like that: foeach(int i in 1..10) { } // forward foeach(int i in 99..2) { } // backwards foeach(char c in 'a'..'z') { } // chars foeach(Color c in Red..Blue) { } // using enums It should work with all integral datatypes. Maybe we can step a bit further: foeach(int i in 1..10, 30..100) { } // from 1 to 10 and 30 to hundred
22
1593
by: WXS | last post by:
Sometimes a method in a class requires the use of class instance variables/fields that will not be used outside of the method itself. Currently this means you must create a instance field in the class such that from a maintenance stand point it is disconnected from the method, and also affords the opportunity for other methods to mess with the variable when they never should. For example: public class MyClass
6
1557
by: WXS | last post by:
I know this sounds contrary to the idea of an interface, but read this and see what you think. ----------------------------------------------------------------------------------------- It would be nice if there was a way for a class to create a special type of interface, a private one. Private meaning it's not directly exposed at the class level, you need to be explicitly handed a reference to it by the class. Often the encapsulation issue...
0
9370
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9218
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9132
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9067
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8009
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4487
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4755
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3191
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2578
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.