18 Dec
2005
18 Dec
'05
3:17 p.m.
Hi, in the bookmarks creation dialog, we have a hidden goto that contains "sql.php?db=mybase&table=mytable" and some other parameters. Current logic in common.lib.php: if (isset($_REQUEST['goto']) && in_array($_REQUEST['goto'], $goto_whitelist)) { fails in this case because the white list contains sql.php and we are comparing with a $_REQUEST['goto'] containing sql.php plus parameters. Same problem could happen for other parameters like $back, I'm not sure. Is there another function like in_array() but able to compare a substring? If not, we'll have to do something like: if (isset($_REQUEST['goto']) && in_array(substr($_REQUEST['goto'],0,strpos($_REQUEST['goto'] . '?','?')), $goto_whitelist)) { Marc