Wow, thats a pretty neat idea.
A few comments.
We should do something to the values in $_REQUEST so they can't be used after this function is called.
We should error if there are variables that don't fit the format we expect. We can't have anything getting past this filter by default or we'll be opening holes in the filtering without any kind of notification. We'll also want to know if we've missed anything during our changes.
Html keyword should probably be 'sh' instead of 'sH' so the lower case characters prefixed on a variable are what represents the variables type. This would be more consistent with what we have.
Filtering all variables might let us support allowing magic quotes although given the widespread rejection of the magic quotes feature it seems silly to do so. I wouldn't be surprised if the switch was removed from php entirely in the near future.
Chris
On Tuesday 27 June 2006 4:56 am, Jonathan Ernst wrote:
Please apply the (harmless) errorpage patch first.
As my prevous approach was refused, I decided to improve the current makeClean approach.
This patch automatically fills the $aClean array when we'll start using variable names like iVersionId, etc. This let's us check/clean up everything in a single place and do the error handling there.
You'll notice that I cleanly handle the magic_quote_gpc case as well. I know that people with magic_quote_gpc will get an error message thanks to Chris patch, but I still hope we can revert his patch in the future because I don't like forcing people to change their php config.
Changelog:
- automatic variable cleanup function
Files changed:
- CODING_STANDARD
- include/incl.php
- include/util.php