I was talking with one of my programmers earlier and he showed me a piece of code he was considering:
foreach($_REQUEST as $var=>$val) {
$$var = addslashes($val);
}
He wanted to be able to use $varName instead of having to write $_REQUEST['varName']
I advised him to use the mysql_real_escape_string instead of addSlashes and to not put the $_REQUEST variables onto the local stack because that gives hackers an attach vector. To me that seems like the same problem that the old REGISTER_GLOBALS directive had.
He said there was not the same security risks because those variables were all being created on the local stack. So I was uncertain and I checked out the PHP variable variables page at: http://www.php.net/manual/en/language.variables.variable.php but saw no reference to Super Globals and security other then the warning box.
Can hackers easily take advantage of that construct?
