yesterday I've stumbled again across this issue with initvar(). initvar() looks for a GET or POST parameter, and sets a global variable accordingly. If neither parameter is set, it falls back to the following:
Code: Select all
$GLOBALS[$name] = @preg_replace("/.*?(" . $name . "=([^\&]*))?.*?/i", "\\2", sv('QUERY_STRING'));
This is quite sloppy, as an arbitrary prefix of the parameter name is simply ignored. For example consider the following URL: http://www.example.com/?Name_of_the_page&myplugin_edit=whatever. When initvar('edit') is called, $edit is set to 'whatever'.
I don't see the reason for this fallback. IMO checking for $_GET and $_POST is absolutely sufficient. Or does the core or any plugin rely on this behavior? Otherwise I suggest to remove the fallback.