[Phptest-devel] Re: updating code for security

[dj resonance]

Hi John, 

That sounds like a good plan.  The problem with using
the $_POST etc. variables is that they are unsupported
w/ PHP earlier than 4.1.0.  I would love to use them,
because they are automatically global in scope as well
as easier to type, but the majority of web hosts are
still running earlier versions of PHP.  In fact the
current host for resynthesize.com is running php 4.06,
as was my last host.  That fact, combined with the
fact that $_POST and $HTTP_POST_VARS are just aliases
for each other and have no functional difference
(Aside from the autoglobal scope) means that phpTest
will keep the old form, probably forever because there
is nothing to be gained from using the new syntax
(other than convenience) while there is much to be
lost.  I think you'll find that making everything
'work' with register_globals is quite a task.  I spent
about 2 8 hour days on this, but realized it was going
to take a lot of time and significant restructing to
make it all work.  I think the best thing to do would
be for me to create a new cvs branch, so I can
continue to work on new features while you hack on the
register_globals bit.  I don't think we can work on
the same codebase simultaneously because phptest will
likely be quite broken for awhile while you make the
changes.  Feel free to audit the rest of the code too,
I've tried to keep security in mind when designing the
program but I'm sure I've missed some bits and peices.
 I'll look into how to set up a seperate branch in CVS
tommorow at work and get back to you. 

Thanks,
Brandon
--- John Lacey <address@hidden> wrote:

<HR>
<html>
Hi Brandon,<br>
<br>
This should be about the last of the emails I send
direct before
switching my email<br>
client over so I can communicate with phptest-devel
using plain
text.<br>
<br>
In any endeavor, there's always the &quot;odds and
ends&quot; that need
to be done in<br>
addition to doing the more personally gratifying and
challenging stuff,
which adds<br>
new features and functionality.&nbsp; People who are
new to a project
often get tagged<br>
with tasks that not only are necessary, but also help
them to learn the
project's <br>
ins-and-outs, as it were.&nbsp; I't all good, even
though some
short-sighted newcomers<br>
may view certain assignments as &quot;uncool&quot;, or
whatever.<br>
<br>
With that said, if you'd like me to look at phpTest
with an eye to
eliminating the <br>
need to run with register_globals On, I think it would
be a good way for
me to <br>
learn phpTest and PHP as well.&nbsp; After that, I can
go back to looking
at features<br>
that I'd like to work on.&nbsp; I mention this because
of the attention
that is being <br>
given to improving PHP's security model, as well as
running across your
comment<br>
when I was tweaking the documentation, concerning your
desire to address
this<br>
issue.<br>
<br>
There's probably a few places where things like:<br>
<br>
<font face="Courier New, Courier"
size=2>&nbsp;&nbsp;&nbsp; if
(isset($HTTP_POST_VARS['submit'])) {<br>
<br>
<br>
should now read:<br>
<br>
&nbsp;&nbsp;&nbsp; if (isset($_POST['submit'])) {<br>
<br>
<br>
</font><font size=3>assuming I understand the changes
with the new
variable arrays correctly...<br>
<br>
I could begin work on that as early as this
Friday.&nbsp; Let me know if
this is something<br>
you'd like done, while you're off working on the new
features.&nbsp;
<br>
<br>
thanks,<br>
John<br>
<br>
<br>
</font>
<BR>
</html>


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com