[dev] Ingo Patch...

[Chuck Hagenbuch]

Quoting Michael M Slusarz <slusarz at bigworm.colorado.edu>:

> In general, though, register_globabls should _always_ be set to Off.  I
> realize that this has never been a *requirement* for Horde, but our code
> will work just fine if it is set to Off.  Should we make this a
> requirement in the future?

No, definitely not.

For one thing, we try to require as few ini settings as possible. For
another, if we ever assume this, we leave ourselves *badly* open to
security problems.

What we should do, in practice, is:

- ALWAYS assume that it is on, such that a user can define variables in the
global scope by passing GET parameters, cookies, etc. (this is the reason
for Horde::nonInputVar()).

- ALWAYS assume that form, session, cookie data is not available globally
(i.e., like register_globals is off).

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
The alligators were there, too, in a bathtub inside the house.