oh, yeah. automatic variable creation is GREAT! for those of
you who aren't familiar with this, PHP's default settings
cause it to look for incoming GET, POST, and COOKIE
variables in a specified order and import them into the
global namespace. so, if someone calls your script with
foo=bar as a parameter, the variable $foo in the global
namespace will be 'bar'.
however, since PHP also stores variables for system
settings in this same global namespace, some of which are
not always populated, it is pretty easy for a user to spoof
your script by passing in variables with the correct names.
for example, when a script is running under an SSL server,
the environment variable HTTPS is set to 'ON'. however, in
other circustances, it is not set at all. so, if you have
a custom PHP function that you want to behave differently
based on whether it is called by a script under an SSL
web server or not, you can't just check the value of HTTPS
because it may have been passed in by the end user with
HTTPS=ON. to get around this, you either have to disable
the automatic variable creation by unsetting your GPC_ORDER
(which is a very kludgy thing to do on a per script basis),
or check to make sure that HTTPS=ON isn't in HTTP_GET_VARS,
HTTP_POST_VARS, or HTTP_COOKIE_VARS, thereby eliminating the
value the namespace munging had in the first place. that is
just idiotic, IMHO.
i myself use PHP fairly often, so i don't by any means
think it is horrible, but it definitely fails in a number of
areas where Perl shines (and vice versa, occasionally).