PHP :: Request #21129 :: config setting for only superglobal arrays (no more $HTTP_*

config setting for only superglobal arrays (no more $HTTP_*_VARS)

Submitted:

2002-12-21 05:51 UTC

Modified:

2003-03-30 10:58 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

hugo at gewis dot nl

Assigned:

Status:

Closed

Package:

Feature/Change Request

PHP Version:

4.2.3

OS:

any

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hugo at gewis dot nl
New email:
PHP Version:		OS:

New Comment:

[2002-12-21 05:51 UTC] hugo at gewis dot nl

IMHO it would be nice to have a configuration option that ensures that only $_POST, $_GET, $_SERVER, $_ENV etc. are set, and that $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_SERVER_VARS, $HTTP_ENV_VARS etc. are not defined.

Why?
Obviously to remove the overhead of having a duplicate version of each variable.

Furthermore, this can assist in cleaner, more secure code (in my humble opinion).
For example:I just ran into a situation where a login was checked. The submitted password was removed from $_POST. It was, however, still available from $HTTP_POST_VARS. 

(Of course, this last issue could also be fixed by making one a reference to the other (as suggested in bug 15180).)

I think the phrase 'avoid duplication of volatile information' applies here.

Hugo

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-30 10:58 UTC] magnus@php.net

This is fixed in PHP5 CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Dec 08 15:00:01 2025 UTC