Hi all
I thing we all agree on removal of this security evil script. Me and
Marc already had non public discussion on this topic, however I thing
it should go on this list, so lets start it again :-).
Basically there is need for some function to grab required parameters
from request and clean up GLOBALS array in case of register_globals is
on.
I suggested to create some function like:
PMA_grabParameter($name, $request, $sanitizing = 'none', $required =
TRUE)
The request parameter might not be needed, but it's up to discussion.
While Marc came with way how Moodle does it:
Moodle does this (I did not pasted the full clean_param() function)
$id = optional_param('id', 0, PARAM_INT);
$name = optional_param('name');
$edit = optional_param('edit');
$idnumber = optional_param('idnumber');
function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) {
if (isset($_POST[$varname])) { // POST has precedence
$param = $_POST[$varname];
} else if (isset($_GET[$varname])) {
$param = $_GET[$varname];
} else {
return $default;
}
return clean_param($param, $options);
}
Comments?
I do not thing it is good idea to have optional parameters in most of
code.
--
Michal Čihař |
http://cihar.com