[dokuwiki] Re: Is $_GET documented - if so where?
- From: Chris G <cl@xxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Sun, 19 Dec 2010 14:15:41 +0000
On Sun, Dec 19, 2010 at 05:27:33AM -0800, Michiel Kamermans wrote:
> On 12/18/2010 10:30 AM, Chris G wrote:
> >I'm using $_GET to retrieve the parameters after a link:-
> >
> > somespace:somepage?p1=aaa&p2=bbb&p3=ccc
> >
> >If I do something like:
> >
> > foreach ($_GET as $k => $g)
> > {
> > <do something with variable $k>
> > }
>
> In addition to Andrea's note that this is general PHP knowledge (see
> http://php.net/manual/en/reserved.variables.get.php) this is also a
> fairly bad pattern to follow, because you clearly have no idea what
> you're looking for. If some malicious user sticks in more
> parameters, interesting things can happen. If you're relying on URL
> parameters, you should a) know what they are, and b) check for each
> of them by name.
>
Well, firstly it's an "only written by me wiki" and secondly the <do
something with variable $k> is searching for a match in something so a
malicious user sticking things in $_GET won't get anywhere because their
strings won't match anything.
I take your point though, if I was programming in a more open
environment I'd be much more careful.
> The safest pattern to do this is:
>
> $param_value = isset($_GET['param_name']) ?
> validate($_GET['param_name']) : false;
> if($param_value!==false) { /* only now can we trust and use this
> parameter value*/ }
>
> with a special function "validate($string)" that you've written to
> return the value only if thing in $_GET conforms to what you know it
> should conform to (using a preg_match validation, for instance),
> returning "false" otherwise. Trusting that the value is always going
> to be correct is the fastest way to have your dokuwiki hacked.
>
--
Chris Green
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
