1
zyspec
Blue Move Tip - Importing GET/POST Variables
  • 2010/8/10 5:30

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


Numerous 'older' XOOPS modules used the following code to import form data for processing:

foreach ( $_POST as $k => $v ) { ${$k} = $v; }
foreach ( 
$_GET as $k => $v ) { ${$k} = $v; }


Importing variables into the symbol table using this method is insecure and a poor programming practice. Instead the module should import only known variables or at least only import into variables which can be identified as coming from a POST/GET import.

Method 1 - only allow known variables [PREFERRED]
$knownVar1 = (isset($_POST['knownVar1'])) ? $_POST['knownVar1'] : NULL;
$knownVar1 = (isset($_GET['knownVar1'])) ? $_GET['knownVar1'] : $knownVar1;
$knownVar2 = (isset($_POST['knownVar2'])) ? $_POST['knownVar2'] : NULL;
$knownVar2 = (isset($_GET['knownVar2'])) ? $_GET['knownVar2'] : $knownVar2;
...
$knownVarn = (isset($_POST['knownVarn'])) ? $_POST['knownVarn'] : NULL;
$knownVarn = (isset($_GET['knownVarn'])) ? $_GET['knownVarn'] : $knownVarn;

/* now sanitize all variables imported above 
 *
 * $knownVar1, $knownVar2, ...  $knownVarn
 */


Method 2 - importing into prefixed variable
extract ($_POSTEXTR_PREFIX_ALL'unsanitized_');
extract ($_GETEXTR_PREFIX_ALL'unsanitized_');
 
/* now sanitize all variables that start with 
 * $unsanitized_and do not reference
 * any variable that starts with $unsanitized_
 * anywhere else in the file
 * 
 */


EDITED 10 Aug 2010
Another option...

Method 3
If you're willing to require your users to have PHP5 > 5.2.0 then use the PHP filter functions
End of 10 Aug 2010 Edit

2
Peekay
Re: Blue Move Tip - Importing GET/POST Variables
  • 2010/8/10 12:32

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Thx zyspec.

If anyone has any tips about using GET/POST VARs in Xoops, add them to this thread, or you can create a 'Blue Move Tip' post about anything that will help bring old modules up to speed.
A thread is for life. Not just for Christmas.

Login

Who's Online

238 user(s) are online (154 user(s) are browsing Support Forums)


Members: 0


Guests: 238


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits