Hi,

in the bookmarks creation dialog, we have a hidden goto that contains "sql.php?db=mybase&table=mytable" and some other parameters.

Current logic in common.lib.php:

if (isset($_REQUEST['goto']) && in_array($_REQUEST['goto'], $goto_whitelist)) {

fails in this case because the white list contains sql.php and we are comparing with a $_REQUEST['goto'] containing sql.php plus parameters.

Same problem could happen for other parameters like $back, I'm not sure.

Is there another function like in_array() but able to compare a substring? If not, we'll have to do something like:

if (isset($_REQUEST['goto']) && in_array(substr($_REQUEST['goto'],0,strpos($_REQUEST['goto'] . '?','?')), $goto_whitelist)) {

Marc