Perl Monk, Perl Meditation | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
oh, yeah. automatic variable creation is GREAT! for those of
you who aren't familiar with this, PHP's default settings
cause it to look for incoming GET, POST, and COOKIE
variables in a specified order and import them into the
global namespace. so, if someone calls your script with
foo=bar as a parameter, the variable $foo in the global
namespace will be 'bar'.
however, since PHP also stores variables for system settings in this same global namespace, some of which are not always populated, it is pretty easy for a user to spoof your script by passing in variables with the correct names. for example, when a script is running under an SSL server, the environment variable HTTPS is set to 'ON'. however, in other circustances, it is not set at all. so, if you have a custom PHP function that you want to behave differently based on whether it is called by a script under an SSL web server or not, you can't just check the value of HTTPS because it may have been passed in by the end user with HTTPS=ON. to get around this, you either have to disable the automatic variable creation by unsetting your GPC_ORDER (which is a very kludgy thing to do on a per script basis), or check to make sure that HTTPS=ON isn't in HTTP_GET_VARS, HTTP_POST_VARS, or HTTP_COOKIE_VARS, thereby eliminating the value the namespace munging had in the first place. that is just idiotic, IMHO. i myself use PHP fairly often, so i don't by any means think it is horrible, but it definitely fails in a number of areas where Perl shines (and vice versa, occasionally). In reply to Re: Not Inciting a Holy War
by mdillon
|
|