Filtering yonder Superglobals
Posted: Thu Sep 22, 2005 10:15 am
In the course of my...er...hobby, I've found reason to consider adding Input Filtering to a php app (one of those game things). Unfortunately the game was concocted in such a way as to never (not once) filter data. Come to think of it - it doesn't escape either. In fact I'm not sure its the least bit secure...maybe a smidgen.
Back on topic - filtering. Since it's legacy code and I'm not in the mood to start a rewrite was wondering about the validity of the following approach. It seems to be a no-no, but for no reason anyone actually seems to explain.
Normally:
Suggested:
Now am I doing something fundamentally *wrong*, or will this allow clean data to replace the original $_POST data without posing any issues...whatsoever? Aim is not to edit the thousands of lines of code using the superglobal reference - not mentioning the stuff that still relies on reg globals on...
Note: I neither want nor need the original uncleaned data, not for the moment. Filter compares a definition (some class stating what the targeted page expects in its data) against the original $_POST, and deletes unexpected data.
Back on topic - filtering. Since it's legacy code and I'm not in the mood to start a rewrite was wondering about the validity of the following approach. It seems to be a no-no, but for no reason anyone actually seems to explain.
Normally:
Code: Select all
$filter = new InputFilter();
$cleanpost = $filter->filter($_POST);Code: Select all
$filter = new InputFilter();
$cleanpost = $filter->filter($_POST);
unset($_POST);
$_POST = $cleanpost;
unset($cleanpost); // since its not actually used anymoreNote: I neither want nor need the original uncleaned data, not for the moment. Filter compares a definition (some class stating what the targeted page expects in its data) against the original $_POST, and deletes unexpected data.