[Pmwiki-users] PmWiki 1.0.0 released - HTTP_-variables
Patrick R. Michaud
pmichaud
Mon Jun 14 08:17:16 CDT 2004
On Mon, Jun 14, 2004 at 03:56:34PM +0200, Knut Alboldt wrote:
>
> Isn't the $_REQUEST-array reset in pmwiki.php ? I thought this is done with
> the code
> if (ini_get('register_globals')) {
> foreach($_REQUEST as $k=>$v) { unset(${$k}); }
> }
> at the very beginning. So if I use $_REQUEST, there will be no variables,
> right ?
No, that's not what this code does. :-) This code tries to undo the
effect of PHP's "register globals" option, which automatically makes
any entry in $_REQUEST into a PHP global variable. This can have
all sorts of nasty outcomes--for example, with register_globals set to
"on", someone can enter a URL such as
http://example.com/pmwiki.php?UploadDirFmt=/etc
and PHP will automatically set the value of $UploadDirFmt to be "/etc"
(a Bad Thing). So, PmWiki starts by removing any values of $_REQUEST
from the global environment before proceeding. However, the $_REQUEST
array itself is unchanged by this code.
Pm
More information about the pmwiki-users
mailing list