[dokuwiki] Re: Is $_GET documented - if so where?

From: Michiel Kamermans <pomax@xxxxxxxxxxxxxxxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Sun, 19 Dec 2010 05:27:33 -0800

On 12/18/2010 10:30 AM, Chris G wrote:

I'm using $_GET to retrieve the parameters after a link:-

     somespace:somepage?p1=aaa&p2=bbb&p3=ccc

If I do something like:

             foreach ($_GET as $k =>  $g)
             {
                 <do something with variable $k>
             }

In addition to Andrea's note that this is general PHP knowledge (seehttp://php.net/manual/en/reserved.variables.get.php) this is also afairly bad pattern to follow, because you clearly have no idea whatyou're looking for. If some malicious user sticks in more parameters,interesting things can happen. If you're relying on URL parameters, youshould a) know what they are, and b) check for each of them by name.


The safest pattern to do this is:

$param_value = isset($_GET['param_name']) ?validate($_GET['param_name']) : false;if($param_value!==false) { /* only now can we trust and use thisparameter value*/ }

with a special function "validate($string)" that you've written toreturn the value only if thing in $_GET conforms to what you know itshould conform to (using a preg_match validation, for instance),returning "false" otherwise. Trusting that the value is always going tobe correct is the fastest way to have your dokuwiki hacked.


- Mike "Pomax" Kamermans
nihongoresources.com
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Follow-Ups:
- [dokuwiki] Re: Is $_GET documented - if so where?
  - From: Chris G

References:
- [dokuwiki] Is $_GET documented - if so where?
  - From: Chris G

[dokuwiki] Re: Is $_GET documented - if so where?

Other related posts: