Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
ganjargal
Forum Newbie
Posts: 2 Joined: Tue Aug 24, 2010 12:09 am
Post
by ganjargal » Tue Aug 24, 2010 12:14 am
Code: Select all
function requestFilter( $value = null, $filter = 'integer', $specialcharacters = "" ){
switch($filter){
default:
case 'integer':
$value = intval($value);
break;
case 'latin':
$value = preg_replace('#[^a-zA-Z'.$specialcharacters.']#', '', $value);
break;
}
return $value;
}
$admin_modules = array("users", "products", "category", "pages", "shipping", "ordering");
$module = isset($_REQUEST['module']) && !empty($_REQUEST['module']) && in_array($_REQUEST['module'], $admin_modules) ? requestFilter($_REQUEST['module'], "latin") : null;
if(!is_null($module)){
switch($module){
case "users":
case "products":
case "category":
case "pages":
case "shipping":
case "orders":
require_once("modules/".$module.".php");
break;
}
}
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Wed Aug 25, 2010 7:13 am
In this instance, it is fine. When used in other contexts it may break if given an array instead of a string.
Apollo
Forum Regular
Posts: 794 Joined: Wed Apr 30, 2008 2:34 am
Post
by Apollo » Wed Aug 25, 2010 7:55 am
Note that merely this:
Code: Select all
$admin_modules = array('users', 'products', 'category', 'pages', 'shipping', 'ordering');
$module = $_REQUEST['module'];
if (in_array($module,$admin_modules,true)) require_once("modules/$module.php");
would be sufficient as well, just as safe and less error-prone (because when adding or removing a module you only have to edit it at one place, rather than the array *and* the switch case).