ansaurus

Question

Is using "global" user in Drupal dangerous?

Answer 1

+3 A:

Global variables can be dangerous for many reasons, some of which include:

Clutters namespaces
It makes maintenance difficult and encourages monkeypatching, as global variables can be modified from anywhere
They are not referentially transparent
In memory-managed languages, global variables can become the source of memory leaks
They make debugging especially difficult in large applications/sites, as it can be difficult to track down where they are being set and modified.

Nothing is particularly threatening about your use case. It should be fine. If you're very scared, you can ensure that $user->uid is an integer before evaluating:

function myFunction($bla) {
   global $user;
   if( is_int($user->uid) ){
      if (isAuthenticated($user->uid)) {
         print $secretCode;
      }
   }
}

But this is probably unnecessary.

cpharmston 2009-09-06 19:26:30

Do you perhaps know if it's dangerous in my specific example? I know that $user is a built-in variable. I.e. I don't define it, Drupal does.

RD 2009-09-06 19:40:58

Edited my answer a bit.

cpharmston 2009-09-06 20:02:19

One more question. Is there no way that a "hacker" can pass in his own uid? I mean, if he could pass in a uid of 1, that would mean he's admin.

RD 2009-09-06 20:29:02

I haven't done much more than theming in Drupal, but IIRC, $user is only set when a user successfully logs in. If someone is able to hack that, the problem is much bigger than using globals :)

cpharmston 2009-09-06 20:41:42

ansaurus

tags:

views:

answers:

Is using "global" user in Drupal dangerous?

related questions