Sebastian Mendel a écrit :
Marc Delisle schrieb:
i think in most cases PMA should use $_REQUEST directly and use one of the above function only to set default values
using of $_REQUEST makes it more clear where this variable came from, reminding the developer always to take care with this variables!
I don't understand why using $_REQUEST makes more clear where this variable came from. In $_REQUEST, variables can come from EGPCS, as defined by the variables_order directive. I think that it's better to say explicitly where we expect each variable to come from.
$_REQUEST holds only $_POST, $_GET, $_COOKIE, normally in this order
Not according to http://www.php.net/manual/en/ini.core.php#ini.variables-order
and it makes clear that this variable came from outside and has to be handled with care, of course the other superglobals too
So why not go with the clearer way?
and i think its not good to always 'clean' variables
what will you clean of? you can not decide what users inserts into her database or they name her tables and fields
We have many possible sources for an attack. An evident one is with the variables that are echoed back (partly checked with PMA_sanitize(), for example in sql.php. But there are other sources, like attacks on $_FILES.
$_Files is only used in import or binary upload, in this rare places this Array should be handled explicitly
Ok.