[geeklog-devel] Re: [geeklog-devtalk] Variable best practices

Tony Bibbs tony at tonybibbs.com
Wed Mar 3 14:38:58 EST 2004


> Tony,
> 
> I don't disagree and using $_REQUEST would remove the need to check both GET
> and POST.
> I wonder though, if it is not still more secure to check for $_POST before
> $_GET. I know a hacker can just as easily fake a POST request so maybe it
> does not matter. As long as we are filtering out any potentially hostile
> data.

Right, see injections can happen, in theory any time you go to the 
database (via a select, update, etc it doesn't matter).  So those fields 
should be filtered.  How you do that doesn't matter and my hunch is just 
going after the data in $_REQUEST is good enough as it handles everything.

Now, in Geeklog 2 we are using PEAR and thus I am using prepared SQL 
statements:

$prepStmt = $_DB->prepare('SELECT * FROM USERS WHERE uid = ?');
$result = $_DB->execute($prepStmt,$_REQUEST['uid']);

To handle injection attempts I plan on creating a method called 
DB_execute() that mirrors the PEAR execute method above except I will 
pass all arguments through the filter which should provide a convenient 
way of filtering stuff without having to have to explicitly do it every 
time.

Anyway, just wanted to clue you in on how I have been thinking through 
all this.  For 1.3.x your function is good and the only drawback is you 
have to call it explicitly but I don't see a way around it.

> 
> I suspect our issues are mostly with users that host their sites.
> 

Yeah, and again, most sane hosts should be on 4.1 or better already.

 >
> It also has a mode to address the need for Register_Globals on.
>

There is a lot that would need to be done to 1.3.x to get rid of this 
but if you move forward assuming 4.1. or better at least we can mark 
each page as a to-do in terms of getting rid of that dependency.  Then 
again, maybe this should be somthing similar to when I introduced HTML 
templates where we plan on freezing the code and working on nothing but 
register_globals issues and releasing that under 1.4.x.

That is something for Dirk to ponder but I'd be willing to help knock 
out a few pages.  With three of us we might actually get a beta version 
of this out within a couple of weeks.

--Tony



More information about the geeklog-devel mailing list