Matthias Nothhaft wrote:
> Lukas Kahwe Smith wrote:
>> François Zaninotto wrote:
>>> Absolutely. In this case, I'd avise to use the attribute holder of the
>>> request object:
>>>
>>> sfContext::getInstance()->getRequest()->setParameter('foo', 'bar');
>>>
>>> $foo = sfContext::getInstance()->getRequest()->setParameter('foo');
>> I am not sure if this is really ideal. Seems like a similar security
>> risk like register global.
>
> What do you think is the security risk here? And what solution do you miss?
Well the user could just add ?foo=evil into his request and it would be
like if I set this. Obviously this requires knowledge about my code, but
internal variables should of course remain separated of (unvalidated)
user input.
What I miss is a dedicated parameter holder for variables I want to pass
between different logical units within a symfony request (between
modules, between modules and filters etc.).
I guess I will need to create my own parameter holder somewhere for now.
Or am I missing something here?
regards,
Lukas
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
