Ban global variable names for temporary tasks

Events happening in the community are now at Drupal community events on www.drupal.org.
miro_dietiker's picture
Posted by miro_dietiker on January 30, 2010 at 10:17pm

I'd strongly recommend to add a directive in coding standards to ban common (global) variable names for temporary tasks.

This is a very important security issue as it can lead to certain accidental variable overwrites such as:

In context of a $node some code tries to load assigned user object and does $user = user_load($node->nid);
While this feels pretty OK for the first second one single global $user before this line will lead to a user context switch and thus permission takeover.
This is a very common mistake i've seen many times - and which happens too soon...

We should therefore ban all common variable names for temporary use and suggest using alternatives.
Sample:
BAN $user --> SUGGEST $account

All global drupal variables should be banned.

Comments

A recent issue added a note

Posted by joachim on May 6, 2010 at 12:15pm
joachim's picture

A recent issue added a note about this to the documentation for user_load().

Happy

Posted by miro_dietiker on May 6, 2010 at 12:36pm
miro_dietiker's picture

That's cool, i'm really happy to see that coming up.

Coding standards

Group organizers

Group categories

Status

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: