Lukas Kahwe Smith wrote:
> Matthias Nothhaft wrote:
>> Lukas Kahwe Smith wrote:
>>> François Zaninotto wrote:
>>>> Absolutely. In this case, I'd avise to use the attribute holder of the
>>>> request object:
>>>>
>>>> sfContext::getInstance()->getRequest()->setParameter('foo', 'bar');
>>>>
>>>> $foo = sfContext::getInstance()->getRequest()->setParameter('foo');
>>> I am not sure if this is really ideal. Seems like a similar security
>>> risk like register global.
>> What do you think is the security risk here? And what solution do you miss?
>
> Well the user could just add ?foo=evil into his request and it would be
> like if I set this. Obviously this requires knowledge about my code, but
> internal variables should of course remain separated of (unvalidated)
> user input.
oh.. thanks for that hint.. this is really evil..
> What I miss is a dedicated parameter holder for variables I want to pass
> between different logical units within a symfony request (between
> modules, between modules and filters etc.).
>
> I guess I will need to create my own parameter holder somewhere for now.
> Or am I missing something here?
You could use the parameter holder of the user instance:
sfContext::getInstance()->getUser()->setParameter($name, $value, $ns);
sfContext::getInstance()->getUser()->getParameter($name, $ns);
sfContext::getInstance()->getUser()->hasParameter($name, $ns);
sfContext::getInstance()->getUser()->getParameterHolder();
--> attributes are stored in the session - parameters not.
But I think Symfony should provide a dedicated parameter holder with
sfContext. This would probably the best place for internal communication!?
Regards,
Matthias
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
