[Phpmyadmin-devel] Removing of grab_globals

Sebastian Mendel lists at sebastianmendel.de
Wed Dec 7 01:27:01 CET 2005


Michal Čihař schrieb:
> Hi all
> 
> I thing we all agree on removal of this security evil script. Me and
> Marc already had non public discussion on this topic, however I thing
> it should go on this list, so lets start it again :-).
> 
> Basically there is need for some function to grab required parameters
> from request and clean up GLOBALS array in case of register_globals is
> on.

cleanup is already done in grab_globals


> I suggested to create some function like:
> 
> PMA_grabParameter($name, $request, $sanitizing = 'none', $required =
> TRUE)
> 
> The request parameter might not be needed, but it's up to discussion.
> 
> While Marc came with way how Moodle does it:
> 
> Moodle does this (I did not pasted the full clean_param() function)
> 
> $id          = optional_param('id', 0, PARAM_INT);
> $name        = optional_param('name');
> $edit        = optional_param('edit');
> $idnumber    = optional_param('idnumber');
> 
> 
> function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) {
> 
>      if (isset($_POST[$varname])) {       // POST has precedence
>          $param = $_POST[$varname];
>      } else if (isset($_GET[$varname])) {
>          $param = $_GET[$varname];
>      } else {
>          return $default;
>      }
> 
>      return clean_param($param, $options);
> }
> 
> Comments?

// ifsetor() ;-)
function checkRequest($name, $default = null)
{
     if ( isset( $_REQUEST[$name] ) ) {
         return $_REQUEST[$name];
     }

     return $default;
}

i think in most cases PMA should use $_REQUEST directly and use one of 
the above function only to set default values

using of $_REQUEST makes it more clear where this variable came from, 
reminding the developer always to take care with this variables!

and i think its not good to always 'clean' variables

what will you clean of? you can not decide what users inserts into her 
database or they name her tables and fields

you just have to take care to escape the input correctly before 
inserting or displaying - but not cleaning!

and if the variable is a choice of options you have to check against the 
original choices (in_array or array_key_exists)


-- 
Sebastian Mendel

www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet




More information about the Developers mailing list