import_request_variables() is gone from PHP since version 5.4.0. A simple plug-in replacement it extract().
For example:
import_request_variables('gp', 'v_');
Can be replaced with:
extract($_REQUEST, EXTR_PREFIX_ALL|EXTR_REFS, 'v');
(PHP 4 >= 4.1.0, PHP 5 < 5.4.0)
import_request_variables — 将 GET/POST/Cookie 变量导入到全局作用域中
$types
[, string $prefix
] ) : bool将 GET/POST/Cookie 变量导入到全局作用域中。如果你禁止了 register_globals,但又想用到一些全局变量,那么此函数就很有用。
你可以使用 types
参数指定需要导入的变量。可以用字母'G'、'P'和'C'分别表示
GET、POST 和 Cookie。这些字母不区分大小写,所以你可以使用'g'、'p'和'c'的任何组合。POST
包含了通过 POST 方法上传的文件信息。注意这些字母的顺序,当使用"gp"时,POST
变量将使用相同的名字覆盖 GET 变量。任何 GPC
以外的字母都将被忽略。
prefix
参数作为变量名的前缀,置于所有被导入到全局作用域的变量之前。所以如果你有个名为"userid"的
GET 变量,同时提供了"pref_"作为前缀,那么你将获得一个名为 $pref_userid
的全局变量。
如果你对导入其它全局变量(例如 SERVER 变量)感兴趣,请考虑使用 extract()。
Note:
虽然
prefix
参数是可选的,但如果不指定前缀,或者指定一个空字符串作为前缀,你将获得一个 E_NOTICE 级别的错误。使用默认错误报告级别是不显示注意(Notice)级别的错误的。
<?php
// 此处将导入 GET 和 POST 变量
// 使用"rvar_"作为前缀
import_request_variables("gP", "rvar_");
echo $rvar_foo;
?>
import_request_variables() is gone from PHP since version 5.4.0. A simple plug-in replacement it extract().
For example:
import_request_variables('gp', 'v_');
Can be replaced with:
extract($_REQUEST, EXTR_PREFIX_ALL|EXTR_REFS, 'v');
What i do is have a small script in my header file that takes an array called $input, and loops through the array to extract variables. that way the security hole can be closed, as you specify what variables you would like extracted
$input = array('name' => null, 'age' => 26) ;
// 26 is the default age, if $_GET['age'] is empty or not set
function extract_get()
{
global $input ;
if ($input)
{
foreach ($input as $k => $v)
{
if ($_GET[$k] == '' or $_GET[$k] == NULL)
{
$GLOBALS[$k] = $v ;
}
else
{
$GLOBALS = $_GET[$k] ;
}
}
}
}
reply to ceo AT l-i-e DOT com:
I don't think it's a risk, as all of your request variables will be tagged with the prefix. As long as you don't prefix any of your internal variables with the same, you should be fine.
If someone tries to access an uninitiated security-related variable like $admin_level through request data, it will get imported as $RV_admin_level.
oops, a typo in my comment:
The last line in the second example (the on using the extract() function) should read:
echo $_GET['var']; # prints 1, so $_GET has been unchanged
Call me crazy, but it seems to me that if you use this function, even WITH the prefix, then you might as well just turn register_globals back on...
Sooner or later, somebody will find a "hole" with your prefixed variables in an un-initialized variable.
Better to import precisely the variables you need, and initialize anything else properly.
import_request_variables does *not* read from the $_GET, $_POST, or $_COOKIE arrays - it reads the data directly from what was submitted. This is an important distinction if, for example, the server has magic_quotes turned on and you massage the data to run stripslashes on it; if you then use import_request_variables, your variables will still have slashes in them.
In other words: even if you say $_GET=""; $_POST=""; then use import_request_variables, it'll still get all the request data.
If you change the contents of $_GET and you then want to bring this data into global variables, use extract($_GET, EXTR_PREFIX_ALL, "myprefix") instead.