I think the second argument of parse_str/mb_parse_str
should be changed from optional to mandatory.
parse_str(string encoded_string [, array result])
-> parse_str(string encoded_string , array result)
It is to reduce the risk of vulnerability, and it has neary same risk
as register_globals which is removed from PHP 5.4.
The vulnerability against code injection attack found in a recent
phpMyAdmin is just a example.
The current implementation of parse_str changes
the active symbol table in the function.
I think that it has the possible security risk like,
The side effect is that thhe old code like parse_str($query_string) should
be changed, but, I think it is good direction to improve the security.
Rui Hirokawa <firstname.lastname@example.org>