Welcome to Geeklog, Anonymous Thursday, April 18 2024 @ 12:13 am EDT
Geeklog Forums
In the future, if Register_Globals = off
Status: offline
Euan
Forum User
Full Member
Registered: 04/22/02
Posts: 292
Suppose that (at some point in the future) the 1.3 branch were to go globals=off, just suppose... what would a developer working on a plugin need to do now so that his/her plugins were still compatible with register_globals = off ?
The reason is I was reading this:
http://cvs.sourceforge.net/viewcvs.py/squirrelmail/squirrelmail/doc/plugin.txt?rev=HEAD&content-type=text/vnd.viewcvs-markup
Compatibility with register_globals=Off
---------------------------------------
Most sensible systems administrators now run their PHP systems with the setting "register_globals" as OFF. This is a prudent security setting, and as the SquirrelMail core code has long since been upgraded to work in such an environment, we are now requiring that all plugins do the same. Compatibility with this setting amounts to little more than explicitly gathering any and all variables you sent from a tag as GET or POST values instead of just assuming that they will be placed in the global scope automatically. There is nothing more to do than this:
global $favorite_color;
sqgetGlobalVar('favorite_color', $favorite_color, SQ_FORM);
Is it that easy? Just make a function to get/parse variables, and stick it in say functions.php? If that were the case, perhaps we could have something like the SqurrelMail function below in the standard Geeklog installation for plugins to use. That might make any future transtition a little easier on everybody concerned.
Just an idea.
Cheers,
Euan.
The SquirrelMail function:
/**
* Search for the var $name in $_SESSION, $_POST, $_GET,
* $_COOKIE, or $_SERVER and set it in provided var.
*
* If $search is not provided, or == SQ_INORDER, it will search
* $_SESSION, then $_POST, then $_GET. Otherwise,
* use one of the defined constants to look for
* a var in one place specifically.
*
* Note: $search is an int value equal to one of the
* constants defined above.
*
* example:
* sqgetGlobalVar('username',$username,SQ_SESSION);
* -- no quotes around last param!
*
* Returns FALSE if variable is not found.
* Returns TRUE if it is.
*/
function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
if ( !check_php_version(4,1) ) {
global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS,
$HTTP_SERVER_VARS, $HTTP_SESSION_VARS;
$_COOKIE =& $HTTP_COOKIE_VARS;
$_GET =& $HTTP_GET_VARS;
$_POST =& $HTTP_POST_VARS;
$_SERVER =& $HTTP_SERVER_VARS;
$_SESSION =& $HTTP_SESSION_VARS;
}
/* NOTE: DO NOT enclose the constants in the switch
statement with quotes. They are constant values,
enclosing them in quotes will cause them to evaluate
as strings. */
switch ($search) {
/* we want the default case to be first here,
so that if a valid value isn't specified,
all three arrays will be searched. */
default:
case SQ_INORDER: // check session, post, get
case SQ_SESSION:
if( isset($_SESSION[$name]) ) {
$value = $_SESSION[$name];
return TRUE;
} elseif ( $search == SQ_SESSION ) {
break;
}
case SQ_FORM: // check post, get
case SQ_POST:
if( isset($_POST[$name]) ) {
$value = $_POST[$name];
return TRUE;
} elseif ( $search == SQ_POST ) {
break;
}
case SQ_GET:
if ( isset($_GET[$name]) ) {
$value = $_GET[$name];
return TRUE;
}
/* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
break;
case SQ_COOKIE:
if ( isset($_COOKIE[$name]) ) {
$value = $_COOKIE[$name];
return TRUE;
}
break;
case SQ_SERVER:
if ( isset($_SERVER[$name]) ) {
$value = $_SERVER[$name];
return TRUE;
}
break;
}
return FALSE;
}
-- Heather Engineering
-- No job too small
The reason is I was reading this:
http://cvs.sourceforge.net/viewcvs.py/squirrelmail/squirrelmail/doc/plugin.txt?rev=HEAD&content-type=text/vnd.viewcvs-markup
Compatibility with register_globals=Off
---------------------------------------
Most sensible systems administrators now run their PHP systems with the setting "register_globals" as OFF. This is a prudent security setting, and as the SquirrelMail core code has long since been upgraded to work in such an environment, we are now requiring that all plugins do the same. Compatibility with this setting amounts to little more than explicitly gathering any and all variables you sent from a tag as GET or POST values instead of just assuming that they will be placed in the global scope automatically. There is nothing more to do than this:
global $favorite_color;
sqgetGlobalVar('favorite_color', $favorite_color, SQ_FORM);
Is it that easy? Just make a function to get/parse variables, and stick it in say functions.php? If that were the case, perhaps we could have something like the SqurrelMail function below in the standard Geeklog installation for plugins to use. That might make any future transtition a little easier on everybody concerned.
Just an idea.
Cheers,
Euan.
The SquirrelMail function:
Text Formatted Code
/**
* Search for the var $name in $_SESSION, $_POST, $_GET,
* $_COOKIE, or $_SERVER and set it in provided var.
*
* If $search is not provided, or == SQ_INORDER, it will search
* $_SESSION, then $_POST, then $_GET. Otherwise,
* use one of the defined constants to look for
* a var in one place specifically.
*
* Note: $search is an int value equal to one of the
* constants defined above.
*
* example:
* sqgetGlobalVar('username',$username,SQ_SESSION);
* -- no quotes around last param!
*
* Returns FALSE if variable is not found.
* Returns TRUE if it is.
*/
function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
if ( !check_php_version(4,1) ) {
global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS,
$HTTP_SERVER_VARS, $HTTP_SESSION_VARS;
$_COOKIE =& $HTTP_COOKIE_VARS;
$_GET =& $HTTP_GET_VARS;
$_POST =& $HTTP_POST_VARS;
$_SERVER =& $HTTP_SERVER_VARS;
$_SESSION =& $HTTP_SESSION_VARS;
}
/* NOTE: DO NOT enclose the constants in the switch
statement with quotes. They are constant values,
enclosing them in quotes will cause them to evaluate
as strings. */
switch ($search) {
/* we want the default case to be first here,
so that if a valid value isn't specified,
all three arrays will be searched. */
default:
case SQ_INORDER: // check session, post, get
case SQ_SESSION:
if( isset($_SESSION[$name]) ) {
$value = $_SESSION[$name];
return TRUE;
} elseif ( $search == SQ_SESSION ) {
break;
}
case SQ_FORM: // check post, get
case SQ_POST:
if( isset($_POST[$name]) ) {
$value = $_POST[$name];
return TRUE;
} elseif ( $search == SQ_POST ) {
break;
}
case SQ_GET:
if ( isset($_GET[$name]) ) {
$value = $_GET[$name];
return TRUE;
}
/* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
break;
case SQ_COOKIE:
if ( isset($_COOKIE[$name]) ) {
$value = $_COOKIE[$name];
return TRUE;
}
break;
case SQ_SERVER:
if ( isset($_SERVER[$name]) ) {
$value = $_SERVER[$name];
return TRUE;
}
break;
}
return FALSE;
}
-- Heather Engineering
-- No job too small
7
5
Quote
Status: offline
Blaine
Forum User
Moderator
Registered: 07/16/02
Posts: 1232
Location:Canada
I agree euan and I've been using a function in my plugins to filter all incoming and expected variables (Looks for POST and then GET VARS) and optionally makes them Global for use inside my script. It's important that we filter all expected variables to prevent someone from adding Javascript or trying a SQL injection attack.
I have a library of functions that I now use for my portalparts plugins so that I'm not copying all the same functions for each plugin project - thats been the biggest deliema.
Anyway, it's called like this (very similar) in my apps.
$myvars = array('op','chklist','username','email');
ppGetData($myvars,true);
Geeklog components by PortalParts -- www.portalparts.com
I have a library of functions that I now use for my portalparts plugins so that I'm not copying all the same functions for each plugin project - thats been the biggest deliema.
Anyway, it's called like this (very similar) in my apps.
Text Formatted Code
/* Filter incoming variables and set them as globals */$myvars = array('op','chklist','username','email');
ppGetData($myvars,true);
Geeklog components by PortalParts -- www.portalparts.com
22
5
Quote
Status: offline
Euan
Forum User
Full Member
Registered: 04/22/02
Posts: 292
Hi Blaine,
SquirrelMail do $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS and offer the option of setting search order. Would you be interested in posting your function here and agreeing on a standard that we could use? Any people want to comment on what might be a suitable standard to pass to the function? It might also make plugin developing both easier and safer.
eg: getGlobals( array(get these), array(HTTP_to_check), etc... )
Cheers,
Euan.
-- Heather Engineering
-- No job too small
SquirrelMail do $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS and offer the option of setting search order. Would you be interested in posting your function here and agreeing on a standard that we could use? Any people want to comment on what might be a suitable standard to pass to the function? It might also make plugin developing both easier and safer.
eg: getGlobals( array(get these), array(HTTP_to_check), etc... )
Cheers,
Euan.
-- Heather Engineering
-- No job too small
8
7
Quote
Status: offline
Blaine
Forum User
Moderator
Registered: 07/16/02
Posts: 1232
Location:Canada
I actually posted this code a few weeks ago to the Geeklog Developers list. This is now part of my lib-portalparts library that is used in several of my up-coming portalparts plugins.
/**
* PortalParts Library Function to filter incomming variables and optional make GLOBAL
* Author: Blaine Lang
*
* The function can be called with just one variable - an Array of variable names
* It will check for POST and then GET and if the variable is found,
* it is filtered and returned.
*
* Optionally, you can make the variable Global and specify GET or POST Vars as the source
*
* Example use:
* $myvars = array('op','chklist','username','email');
* ppGetData($myvars,true);
*
* @param array $vars Array of variable name
* @param boolean $setglobal Optional: Set true to make variables global
* @param string $type Optional: Set to 'POST' or 'GET'
* @return string Formated HTML containing site footer and optionally right blocks
*
*/
function ppGetData($vars,$setglobal=false,$type='') {
$return_data = array();
#setup common reference to SuperGlobals depending which array is needed
if ($type == "GET" OR $type == "POST") {
if ($type =="GET") { $SG_Array =& $_GET; }
if ($type =="POST") { $SG_Array =& $_POST; }
# loop through SuperGlobal data array and grab out data for allowed fields if found
foreach($vars as $key) {
if (array_key_exists($key,$SG_Array)) { $return_data[$key]=$SG_Array[$key]; }
}
} else {
foreach ($vars as $key) {
if (array_key_exists($key, $_POST)) {
$return_data[$key] = $_POST[$key];
} elseif (array_key_exists($key, $_GET)) {
$return_data[$key] = $_GET[$key];
}
}
}
# loop through $vars array and apply the filter
foreach($vars as $value) {
$return_data[$value] = ppApplyFilter($return_data[$value]);
}
// Optionally set $GLOBALS or return the array
if ($setglobal) {
# loop through final data and define all the variables using the $GLOBALS array
foreach ($return_data as $key=>$value) {
$GLOBALS[$key]=$value;
}
} else {
return $return_data;
}
}
Geeklog components by PortalParts -- www.portalparts.com
Text Formatted Code
/**
* PortalParts Library Function to filter incomming variables and optional make GLOBAL
* Author: Blaine Lang
*
* The function can be called with just one variable - an Array of variable names
* It will check for POST and then GET and if the variable is found,
* it is filtered and returned.
*
* Optionally, you can make the variable Global and specify GET or POST Vars as the source
*
* Example use:
* $myvars = array('op','chklist','username','email');
* ppGetData($myvars,true);
*
* @param array $vars Array of variable name
* @param boolean $setglobal Optional: Set true to make variables global
* @param string $type Optional: Set to 'POST' or 'GET'
* @return string Formated HTML containing site footer and optionally right blocks
*
*/
function ppGetData($vars,$setglobal=false,$type='') {
$return_data = array();
#setup common reference to SuperGlobals depending which array is needed
if ($type == "GET" OR $type == "POST") {
if ($type =="GET") { $SG_Array =& $_GET; }
if ($type =="POST") { $SG_Array =& $_POST; }
# loop through SuperGlobal data array and grab out data for allowed fields if found
foreach($vars as $key) {
if (array_key_exists($key,$SG_Array)) { $return_data[$key]=$SG_Array[$key]; }
}
} else {
foreach ($vars as $key) {
if (array_key_exists($key, $_POST)) {
$return_data[$key] = $_POST[$key];
} elseif (array_key_exists($key, $_GET)) {
$return_data[$key] = $_GET[$key];
}
}
}
# loop through $vars array and apply the filter
foreach($vars as $value) {
$return_data[$value] = ppApplyFilter($return_data[$value]);
}
// Optionally set $GLOBALS or return the array
if ($setglobal) {
# loop through final data and define all the variables using the $GLOBALS array
foreach ($return_data as $key=>$value) {
$GLOBALS[$key]=$value;
}
} else {
return $return_data;
}
}
Geeklog components by PortalParts -- www.portalparts.com
7
6
Quote
Status: offline
Euan
Forum User
Full Member
Registered: 04/22/02
Posts: 292
OK, are there any other possible places (than POST and GET) that we might need to get variable from? Eg cookie vars? Also, is there anything else that we might conceivably need to pass to/get from this function (I can't imagine anything else off the top of my head)? If not, then I'll use your code in my function.inc as well.
Cheers,
Euan.
-- Heather Engineering
-- No job too small
Cheers,
Euan.
-- Heather Engineering
-- No job too small
6
4
Quote
All times are EDT. The time is now 12:13 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content