Hi, 2012/6/24 Andreas Gohr <andi@xxxxxxxxxxxxxx>: > I just got this report and wondering how to deal with it.The specified > problem can easily be fixed with a cast to string, but I guess we have > a bunch of other parameters as well that might cause warnings when > filled with a wrong parameter type... There are also other possibilities to cause warnings in DokuWiki, e.g. http://bugs.dokuwiki.org/index.php?do=details&task_id=2432 - so I think if we really want to fix that warnings are displayed this involves more than just checking parameters with wrong type. Maybe we should also point in the installation documentation to http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors which clearly states that display_errors should be disabled in production systems, i.e. when warnings are displayed and disclose information in production systems, this is not really a problem of DokuWiki but the PHP configuration (nevertheless I think we should fix warnings). > Does anyone have a suggestion how to fix this at other places as well, > in a systematic manner? Would be grepping for _POST, _REQUEST, _GET to > build a list of all user inputs be a good idea? Then making sure each > of them can only contain the right type by going through the list? It would be a start and definitely eliminate the current problem, however I have the impression that this problem also concerns some plugins from looking at the output of a quick search in the plugins I have installed here so just having a list of the parameters used in core code doesn't solve the whole problem. We could also put the cleaned parameters in some globally accessible data structure in order to make it easier to see which parameters have been cleaned (otherwise it might be easy to miss a parameter). > Any better ideas? I don't know if it is really better, but we could introduce some wrapper around _POST, _REQUEST, _GET etc. which takes as arguments the name of the parameter, the method (get, post, any) and the expected type, i.e. string, array, string_array (for an array of strings) and mixed for cases when the check is done by the caller (just as suggestion, we could also add other types that are frequently needed). That way we could also check if the parameter is set at all and eliminate some more notices without adding additional code in every place where a parameter is read and also plugins could easily check their parameters that way. Michael -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist