Filtering yonder Superglobals

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Filtering yonder Superglobals

Post by Maugrim_The_Reaper »

In the course of my...er...hobby, I've found reason to consider adding Input Filtering to a php app (one of those game things). Unfortunately the game was concocted in such a way as to never (not once) filter data. Come to think of it - it doesn't escape either. In fact I'm not sure its the least bit secure...maybe a smidgen.

Back on topic - filtering. Since it's legacy code and I'm not in the mood to start a rewrite was wondering about the validity of the following approach. It seems to be a no-no, but for no reason anyone actually seems to explain.

Normally:

Code: Select all

$filter = new InputFilter();
$cleanpost = $filter->filter($_POST);
Suggested:

Code: Select all

$filter = new InputFilter();
$cleanpost = $filter->filter($_POST);
unset($_POST);
$_POST = $cleanpost;
unset($cleanpost); // since its not actually used anymore
Now am I doing something fundamentally *wrong*, or will this allow clean data to replace the original $_POST data without posing any issues...whatsoever? Aim is not to edit the thousands of lines of code using the superglobal reference - not mentioning the stuff that still relies on reg globals on...;)

Note: I neither want nor need the original uncleaned data, not for the moment. Filter compares a definition (some class stating what the targeted page expects in its data) against the original $_POST, and deletes unexpected data.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Code: Select all

$filter = new InputFilter();
$_POST = $filter->filter($_POST);
Your making this more complicated than it is.. have your filter function return an array or the new cleaned version

edit| arrrr matey 8)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

ye could use a reference and edit the passed array directly too, yar.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Thought so - but a few articles have been passing it into $clean for reasons unknown...presumably they wanted the original, hence my note. Just checking and thanks ;)
Post Reply