Quoting Jesse Becker <[EMAIL PROTECTED]>: > On Feb 13, 2008 11:46 AM, <[EMAIL PROTECTED]> wrote: >> Quoting Jesse Becker <[EMAIL PROTECTED]>: > >> You said the only patching would be to include this script in >> get_context.php and graph.php. So, I take that to mean that >> get_context.php and graph.php would still access values in $_GET like >> they currently do, but these would be modified by santize.php. > > Yes and no. This file will be included by anything that is > "front-facing". So index.php and graph.php like I mentioned, but also > the host_view, cluster_view, etc files. Not a big deal though. > > Right now, the idea is to *NOT* change any data, just accept or reject > based on some basic type checking. $_GET (et al) remain available to > the other scripts (index.php, et al), but non-validated data is > removed. Essentially, something exists in $_GET if, and only if, it > has explicitly been declared "okay."
My only concern with this is that I've always expected $_GET, and other superglobal arrays, to contain exactly what the user sent, or the environment provided, etc. It's harder to audit code when that isn't the case. Lots of PHP applications do direct modifications on $_GET/$_POST values, and it can be very hard to track down whether a value in those arrays has actually been validated/filtered correctly so as to be safe for use. Depending on where you are at in script execution, $_GET might be safe, or it might not be. It adds complexity to the task of spotting problematic code. My opinion is that it's less confusing to write code such that superglobals are treated as read-only, and are thus always suspect since they're external data. alex ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ganglia-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ganglia-developers
