3,035
edits
Update:Archive/2.0/Developers Guide: Difference between revisions
Jump to navigation
Jump to search
Update:Archive/2.0/Developers Guide (view source)
Revision as of 03:27, 1 August 2005
, 1 August 2005no edit summary
No edit summary |
No edit summary |
||
| Line 112: | Line 112: | ||
* Examine index.php and faq.php for examples that will show you the difference between default and non-default wrappers. | * Examine index.php and faq.php for examples that will show you the difference between default and non-default wrappers. | ||
== Input Filtering == | === Input Filtering === | ||
If you are working on a page that concerns input from GET, POST, SESSION or REQUEST, please understand the proper format for filtering and storing foreign data. | If you are working on a page that concerns input from GET, POST, SESSION or REQUEST, please understand the proper format for filtering and storing foreign data. | ||
| Line 124: | Line 124: | ||
These are good examples, but don't follow them verbatim. Follow the syntax used in example scripts. See search.php for a good example. | These are good examples, but don't follow them verbatim. Follow the syntax used in example scripts. See search.php for a good example. | ||
=== Input Filtering No-No's === | ==== Input Filtering No-No's ==== | ||
; Do not use REQUEST : By nature, REQUEST is a violation of HTTP protocol. You should reference GET or POST or COOKIE or SESSION explicitly, but never assume that you are pulling from 'any of those' at once. This opens the door for abuse and manipulation of variables because it makes it unclear where you are getting your variables from. | ; Do not use REQUEST : By nature, REQUEST is a violation of HTTP protocol. You should reference GET or POST or COOKIE or SESSION explicitly, but never assume that you are pulling from 'any of those' at once. This opens the door for abuse and manipulation of variables because it makes it unclear where you are getting your variables from. | ||
; Do not assign reference GET, POST, REQUEST or COOKIE directly : Before using any data from any untrusted arrays, you should first test for types and validity then assign those values to proper locations in trusted arrays. Do not ever, ever use any of these request arrays in any script logic or SQL. You will be punished. | ; Do not assign reference GET, POST, REQUEST or COOKIE directly : Before using any data from any untrusted arrays, you should first test for types and validity then assign those values to proper locations in trusted arrays. Do not ever, ever use any of these request arrays in any script logic or SQL. You will be punished. | ||
=== General Input Filtering Guidelines === | ==== General Input Filtering Guidelines ==== | ||
* Store things in arrays that make sense. | * Store things in arrays that make sense. | ||
** $sql - array of SQL-safe variables. | ** $sql - array of SQL-safe variables. | ||
** $clean - array of raw but trusted variables. | ** $clean - array of raw but trusted variables. | ||
* Do not escape these for HTML output; that is handled by Smarty's |escape function, and does not need to happen in your PHP scripts. | * Do not escape these for HTML output; that is handled by Smarty's |escape function, and does not need to happen in your PHP scripts. | ||