Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
8 - 1 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: Blue Move Tip - Importing GET/POST Variables
by Peekay on 2010/8/10 12:32:01

Thx zyspec.

If anyone has any tips about using GET/POST VARs in Xoops, add them to this thread, or you can create a 'Blue Move Tip' post about anything that will help bring old modules up to speed.
Blue Move Tip - Importing GET/POST Variables
by zyspec on 2010/8/10 5:30:36

Numerous 'older' XOOPS modules used the following code to import form data for processing:

le="color: #000000"><?php foreach ( $_POST as $k => $v ) { ${$k} = $v; } foreach ( $_GET as $k => $v ) { ${$k} = $v; }


Importing variables into the symbol table using this method is insecure and a poor programming practice. Instead the module should import only known variables or at least only import into variables which can be identified as coming from a POST/GET import.

Method 1 - only allow known variables [PREFERRED]
le="color: #000000"><?php $knownVar1 = (isset($_POST['knownVar1'])) ? $_POST['knownVar1'] : NULL; $knownVar1 = (isset($_GET['knownVar1'])) ? $_GET['knownVar1'] : $knownVar1; $knownVar2 = (isset($_POST['knownVar2'])) ? $_POST['knownVar2'] : NULL; $knownVar2 = (isset($_GET['knownVar2'])) ? $_GET['knownVar2'] : $knownVar2; ... $knownVarn = (isset($_POST['knownVarn'])) ? $_POST['knownVarn'] : NULL; $knownVarn = (isset($_GET['knownVarn'])) ? $_GET['knownVarn'] : $knownVarn; /* now sanitize all variables imported above * * $knownVar1, $knownVar2, ... $knownVarn */


Method 2 - importing into prefixed variable
le="color: #000000"><?php extract ($_POST, EXTR_PREFIX_ALL, 'unsanitized_'); extract ($_GET, EXTR_PREFIX_ALL, 'unsanitized_'); /* now sanitize all variables that start with * $unsanitized_and do not reference * any variable that starts with $unsanitized_ * anywhere else in the file * */


EDITED 10 Aug 2010
Another option...

Method 3
If you're willing to require your users to have PHP5 > 5.2.0 then use the PHP filter functions
End of 10 Aug 2010 Edit

Who's Online

198 user(s) are online (145 user(s) are browsing Support Forums)


Members: 0


Guests: 198


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits