[Phpmyadmin-devel] Removing of grab_globals
Michal Čihař
michal at cihar.com
Wed Dec 7 01:10:05 CET 2005
Hi all
I thing we all agree on removal of this security evil script. Me and
Marc already had non public discussion on this topic, however I thing
it should go on this list, so lets start it again :-).
Basically there is need for some function to grab required parameters
from request and clean up GLOBALS array in case of register_globals is
on.
I suggested to create some function like:
PMA_grabParameter($name, $request, $sanitizing = 'none', $required =
TRUE)
The request parameter might not be needed, but it's up to discussion.
While Marc came with way how Moodle does it:
Moodle does this (I did not pasted the full clean_param() function)
$id = optional_param('id', 0, PARAM_INT);
$name = optional_param('name');
$edit = optional_param('edit');
$idnumber = optional_param('idnumber');
function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) {
if (isset($_POST[$varname])) { // POST has precedence
$param = $_POST[$varname];
} else if (isset($_GET[$varname])) {
$param = $_GET[$varname];
} else {
return $default;
}
return clean_param($param, $options);
}
Comments?
I do not thing it is good idea to have optional parameters in most of
code.
--
Michal Čihař | http://cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20051207/fcaacc45/attachment.sig>
More information about the Developers
mailing list