1
Numerous 'older' XOOPS modules used the following code to import form data for processing:
le="color: #000000"><?php foreach ( $_POST as $k => $v ) { ${$k} = $v; } foreach ( $_GET as $k => $v ) { ${$k} = $v; }
Importing variables into the symbol table using this method is insecure and a poor programming practice. Instead the module should import only known variables or at least only import into variables which can be identified as coming from a POST/GET import.
Method 1 - only allow known variables
[PREFERRED]le="color: #000000"><?php $knownVar1 = (isset($_POST['knownVar1'])) ? $_POST['knownVar1'] : NULL; $knownVar1 = (isset($_GET['knownVar1'])) ? $_GET['knownVar1'] : $knownVar1; $knownVar2 = (isset($_POST['knownVar2'])) ? $_POST['knownVar2'] : NULL; $knownVar2 = (isset($_GET['knownVar2'])) ? $_GET['knownVar2'] : $knownVar2; ... $knownVarn = (isset($_POST['knownVarn'])) ? $_POST['knownVarn'] : NULL; $knownVarn = (isset($_GET['knownVarn'])) ? $_GET['knownVarn'] : $knownVarn; /* now sanitize all variables imported above * * $knownVar1, $knownVar2, ... $knownVarn */
Method 2 - importing into prefixed variable
le="color: #000000"><?php extract ($_POST, EXTR_PREFIX_ALL, 'unsanitized_'); extract ($_GET, EXTR_PREFIX_ALL, 'unsanitized_'); /* now sanitize all variables that start with * $unsanitized_and do not reference * any variable that starts with $unsanitized_ * anywhere else in the file * */
EDITED 10 Aug 2010Another option...
Method 3
If you're willing to require your users to have PHP5
> 5.2.0 then use the
PHP filter functionsEnd of 10 Aug 2010 Edit