Wow, thats a pretty neat idea.
A few comments.
We should do something to the values in $_REQUEST so they can't be used after this function is called.
We should error if there are variables that don't fit the format we expect. We can't have anything getting past this filter by default or we'll be opening holes in the filtering without any kind of notification. We'll also want to know if we've missed anything during our changes.
Html keyword should probably be 'sh' instead of 'sH' so the lower case characters prefixed on a variable are what represents the variables type. This would be more consistent with what we have.
Filtering all variables might let us support allowing magic quotes although given the widespread rejection of the magic quotes feature it seems silly to do so. I wouldn't be surprised if the switch was removed from php entirely in the near future.
Chris
On Tuesday 27 June 2006 4:56 am, Jonathan Ernst wrote:
Please apply the (harmless) errorpage patch first.
As my prevous approach was refused, I decided to improve the current makeClean approach.
This patch automatically fills the $aClean array when we'll start using variable names like iVersionId, etc. This let's us check/clean up everything in a single place and do the error handling there.
You'll notice that I cleanly handle the magic_quote_gpc case as well. I know that people with magic_quote_gpc will get an error message thanks to Chris patch, but I still hope we can revert his patch in the future because I don't like forcing people to change their php config.
Changelog:
- automatic variable cleanup function
Files changed:
- CODING_STANDARD
- include/incl.php
- include/util.php
Le mardi 27 juin 2006 à 12:07 -0400, Chris Morgan a écrit :
Wow, thats a pretty neat idea.
A few comments.
We should do something to the values in $_REQUEST so they can't be used after this function is called.
We can do that but only after we have made the required changes everywhere (i.e. remove makeClean AND remove every occurence or $_REQUEST[], $_POST and so on).
We should error if there are variables that don't fit the format we expect. We can't have anything getting past this filter by default or we'll be opening holes in the filtering without any kind of notification. We'll also want to know if we've missed anything during our changes.
I made a show_error_page call when variables don't fit the format isn't it sufficient.
Html keyword should probably be 'sh' instead of 'sH' so the lower case characters prefixed on a variable are what represents the variables type. This would be more consistent with what we have.
Ok, could you please apply my patch and replace sH with sh in CODING_STANDARDS and in the new function in the diff ? My patch shouldn't cause any harm yet.
Filtering all variables might let us support allowing magic quotes although given the widespread rejection of the magic quotes feature it seems silly to do so. I wouldn't be surprised if the switch was removed from php entirely in the near future.
That might be true, but for the moment being magic_quotes_gpc=on is still the default even in php5.
Thanks.
-
Chris Morgan -
Jonathan Ernst