Michal Čihař schrieb:
Hi all
I thing we all agree on removal of this security evil script. Me and Marc already had non public discussion on this topic, however I thing it should go on this list, so lets start it again :-).
Basically there is need for some function to grab required parameters from request and clean up GLOBALS array in case of register_globals is on.
cleanup is already done in grab_globals
I suggested to create some function like:
PMA_grabParameter($name, $request, $sanitizing = 'none', $required = TRUE)
The request parameter might not be needed, but it's up to discussion.
While Marc came with way how Moodle does it:
Moodle does this (I did not pasted the full clean_param() function)
$id = optional_param('id', 0, PARAM_INT); $name = optional_param('name'); $edit = optional_param('edit'); $idnumber = optional_param('idnumber');
function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) {
if (isset($_POST[$varname])) { // POST has precedence $param = $_POST[$varname]; } else if (isset($_GET[$varname])) { $param = $_GET[$varname]; } else { return $default; } return clean_param($param, $options);}
Comments?
// ifsetor() ;-) function checkRequest($name, $default = null) { if ( isset( $_REQUEST[$name] ) ) { return $_REQUEST[$name]; }
return $default; }
i think in most cases PMA should use $_REQUEST directly and use one of the above function only to set default values
using of $_REQUEST makes it more clear where this variable came from, reminding the developer always to take care with this variables!
and i think its not good to always 'clean' variables
what will you clean of? you can not decide what users inserts into her database or they name her tables and fields
you just have to take care to escape the input correctly before inserting or displaying - but not cleaning!
and if the variable is a choice of options you have to check against the original choices (in_array or array_key_exists)