1
Numerous 'older' XOOPS modules used the following code to import form data for processing:
foreach ( $_POST as $k => $v ) { ${$k} = $v; }
foreach ( $_GET as $k => $v ) { ${$k} = $v; }
Importing variables into the symbol table using this method is insecure and a poor programming practice. Instead the module should import only known variables or at least only import into variables which can be identified as coming from a POST/GET import.
Method 1 - only allow known variables
[PREFERRED] $knownVar1 = (isset($_POST['knownVar1'])) ? $_POST['knownVar1'] : NULL;
$knownVar1 = (isset($_GET['knownVar1'])) ? $_GET['knownVar1'] : $knownVar1;
$knownVar2 = (isset($_POST['knownVar2'])) ? $_POST['knownVar2'] : NULL;
$knownVar2 = (isset($_GET['knownVar2'])) ? $_GET['knownVar2'] : $knownVar2;
...
$knownVarn = (isset($_POST['knownVarn'])) ? $_POST['knownVarn'] : NULL;
$knownVarn = (isset($_GET['knownVarn'])) ? $_GET['knownVarn'] : $knownVarn;
/* now sanitize all variables imported above
*
* $knownVar1, $knownVar2, ... $knownVarn
*/
Method 2 - importing into prefixed variable
extract ($_POST, EXTR_PREFIX_ALL, 'unsanitized_');
extract ($_GET, EXTR_PREFIX_ALL, 'unsanitized_');
/* now sanitize all variables that start with
* $unsanitized_and do not reference
* any variable that starts with $unsanitized_
* anywhere else in the file
*
*/
EDITED 10 Aug 2010Another option...
Method 3
If you're willing to require your users to have PHP5
> 5.2.0 then use the
PHP filter functionsEnd of 10 Aug 2010 Edit
