[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-webservices.php, 1.16, 1.17

Joe Mucchiello joe at ThrowingDice.com
Mon Nov 19 02:33:14 EST 2007


At 02:38 PM 11/18/2007, Dirk Haun wrote:
>Joe Mucchiello wrote:
>
> >I have a potentially stupid question but why are you parsing the
> >QUERY_STRING when you can just use the $_GET array to look at it?
>
>Because we also need to parse it in POST, PUT, and DELETE requests. For
>example, a story is POSTed to the URL /webservices/atom/?plugin=story

And regardless of which method is used, that URI will set the $_GET 
array with ("plugin" => "story") in it.

Currently, WS_dissectURI parses $_SERVER['QUERY_STRING'] explicitly 
and nothing else. PHP has already divided that strings' variables 
into the $_GET array. Why are you doing it again? Also, your method 
doesn't call addslashes when magic quotes are on. But it will call 
stripslashes inside COM_applyFilter(). Not sure how dangerous that 
is, but I bet it will be the source of a very difficult bug to track down.

If you must do it again, there are builtin functions for it:

function WS_dissectURI(&$args)
{
     global $WS_INTROSPECTION, $WS_PLUGIN;
     $args = array();
     parse_str($_SERVER['QUERY_STRING'], $args);
     array_walk_recursive($args, create_function('&$v,$k', '$v = 
COM_applyFilter($v);'));
     if (array_key_exists($args, 'introspection')) {
         $WS_INTROSPECTION = true;
     }
     if (array_key_exists($args, 'plugin')) {
          $WS_PLUGIN = $args['plugin'];
     }
}

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 




More information about the geeklog-devel mailing list