[Pmwiki-users] PmWiki 1.0.0 released - HTTP_-variables

Patrick R. Michaud pmichaud
Mon Jun 14 08:17:16 CDT 2004


On Mon, Jun 14, 2004 at 03:56:34PM +0200, Knut Alboldt wrote:
> 
> Isn't the $_REQUEST-array reset in pmwiki.php ? I thought this is done with 
> the code
>     if (ini_get('register_globals')) {
>       foreach($_REQUEST as $k=>$v) { unset(${$k}); }
>     }
> at the very beginning. So if I use $_REQUEST, there will be no variables, 
> right ?

No, that's not what this code does.  :-)  This code tries to undo the
effect of PHP's "register globals" option, which automatically makes
any entry in $_REQUEST into a PHP global variable.  This can have
all sorts of nasty outcomes--for example, with register_globals set to
"on", someone can enter a URL such as

   http://example.com/pmwiki.php?UploadDirFmt=/etc

and PHP will automatically set the value of $UploadDirFmt to be "/etc"
(a Bad Thing).  So, PmWiki starts by removing any values of $_REQUEST 
from the global environment before proceeding.  However, the $_REQUEST
array itself is unchanged by this code.

Pm



More information about the pmwiki-users mailing list