Hi.
>>>> $foo = sfContext::getInstance()->getRequest()->setParameter('foo');
>>> I am not sure if this is really ideal. Seems like a similar security
>>> risk like register global.
>> What do you think is the security risk here? And what solution do you miss?
>
> Well the user could just add ?foo=evil into his request and it would be
> like if I set this. Obviously this requires knowledge about my code, but
> internal variables should of course remain separated of (unvalidated)
> user input.
>
> What I miss is a dedicated parameter holder for variables I want to pass
> between different logical units within a symfony request (between
> modules, between modules and filters etc.).
I think there already is: The request object has a parameter holder
called "attributeHolder".
See:
http://cpr.in-berlin.de/mirror/symfony-project.com/api-1.0.0beta4/de/d14/classsfRequest.htm
So instead of setParameter() and getParameter() just use setAttribute()
and getAttribute()
Martin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
