Page 1 of 1

Filtering yonder Superglobals

Posted: Thu Sep 22, 2005 10:15 am
by Maugrim_The_Reaper
In the course of my...er...hobby, I've found reason to consider adding Input Filtering to a php app (one of those game things). Unfortunately the game was concocted in such a way as to never (not once) filter data. Come to think of it - it doesn't escape either. In fact I'm not sure its the least bit secure...maybe a smidgen.

Back on topic - filtering. Since it's legacy code and I'm not in the mood to start a rewrite was wondering about the validity of the following approach. It seems to be a no-no, but for no reason anyone actually seems to explain.

Normally:

Code: Select all

$filter = new InputFilter();
$cleanpost = $filter->filter($_POST);
Suggested:

Code: Select all

$filter = new InputFilter();
$cleanpost = $filter->filter($_POST);
unset($_POST);
$_POST = $cleanpost;
unset($cleanpost); // since its not actually used anymore
Now am I doing something fundamentally *wrong*, or will this allow clean data to replace the original $_POST data without posing any issues...whatsoever? Aim is not to edit the thousands of lines of code using the superglobal reference - not mentioning the stuff that still relies on reg globals on...;)

Note: I neither want nor need the original uncleaned data, not for the moment. Filter compares a definition (some class stating what the targeted page expects in its data) against the original $_POST, and deletes unexpected data.

Posted: Thu Sep 22, 2005 10:22 am
by John Cartwright

Code: Select all

$filter = new InputFilter();
$_POST = $filter->filter($_POST);
Your making this more complicated than it is.. have your filter function return an array or the new cleaned version

edit| arrrr matey 8)

Posted: Thu Sep 22, 2005 10:26 am
by feyd
ye could use a reference and edit the passed array directly too, yar.

Posted: Thu Sep 22, 2005 10:28 am
by Maugrim_The_Reaper
Thought so - but a few articles have been passing it into $clean for reasons unknown...presumably they wanted the original, hence my note. Just checking and thanks ;)