On Sun, Dec 19, 2010 at 05:27:33AM -0800, Michiel Kamermans wrote: > On 12/18/2010 10:30 AM, Chris G wrote: > >I'm using $_GET to retrieve the parameters after a link:- > > > > somespace:somepage?p1=aaa&p2=bbb&p3=ccc > > > >If I do something like: > > > > foreach ($_GET as $k => $g) > > { > > <do something with variable $k> > > } > > In addition to Andrea's note that this is general PHP knowledge (see > http://php.net/manual/en/reserved.variables.get.php) this is also a > fairly bad pattern to follow, because you clearly have no idea what > you're looking for. If some malicious user sticks in more > parameters, interesting things can happen. If you're relying on URL > parameters, you should a) know what they are, and b) check for each > of them by name. > Well, firstly it's an "only written by me wiki" and secondly the <do something with variable $k> is searching for a match in something so a malicious user sticking things in $_GET won't get anywhere because their strings won't match anything. I take your point though, if I was programming in a more open environment I'd be much more careful. > The safest pattern to do this is: > > $param_value = isset($_GET['param_name']) ? > validate($_GET['param_name']) : false; > if($param_value!==false) { /* only now can we trust and use this > parameter value*/ } > > with a special function "validate($string)" that you've written to > return the value only if thing in $_GET conforms to what you know it > should conform to (using a preg_match validation, for instance), > returning "false" otherwise. Trusting that the value is always going > to be correct is the fastest way to have your dokuwiki hacked. > -- Chris Green -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist