Removing register_globals


#1

Similar to magic_quotes, register_globals was deprecated in php 5.3, and removed in 5.4. Since our PHP requirement is >=5.4 I suggest we remove our fake version of this from the codebase.

Will move forward with this unless there is an incredibly good reason for keeping it.


#2

I think the codebase is ready for removing this since much of the codebase does not rely on this anymore. Several bugs in the old codebase will likely be unmasked, but we can pick these up on testing (ie. this small chance in minor bugs is worth the additional security that removing this will provide).
-brady


#3

Hi,

I think this is vital for security, so Robert and I both cleaned the register global mimicking mechanism out of the codebase(the flag mechanism served a good purpose over the last 7 years or so as several hundred scripts were converted to not use this mechanism). Road testing looks really good, but I wouldn’t be surprised if there are some minor bugs noted in the older codebase (for example, dates may not be populated on some of the older reports). Will continue systematic per script testing.

-brady


#4

Note this also simplifies coding for developers, since we no longer need to worry about the security flags any longer. Also removed these from the codebase security wiki page:
http://www.open-emr.org/wiki/index.php/Codebase_Security#SQL-Injection_and_Cross-Scripting_Prevention