Superglobal

3 views
Skip to first unread message

Owen Winkler

unread,
Nov 25, 2008, 8:42:58 AM11/25/08
to habar...@googlegroups.com
Over the weekend I committed some code that does some strange things to
the $_GET, $_POST, $_SERVER, $_REQUEST, and $_COOKIE supergloabl arrays,
in addition to handler_vars.

These variables are now all replaced with an instance of the Superglobal
class.

The end result is that when you ask for the value of $_POST['foo'] (for
example), the value has already been passed through InputFilter for
removal of potentially malicious code.

To obtain the raw, original value of the submission, you must use a
construct that seems unnatural: $_POST->get('foo')

The intent is to make it easy to use filtered values, and to make
developers aware that they are using potentially unsafe values when they do.

It would be useful to add some other filtering to the Superglobals class
that could allow different levels of filtering. For that, some
revisions to the InputFilter class may be required.

Owen

Matt Read

unread,
Nov 25, 2008, 2:33:03 PM11/25/08
to habar...@googlegroups.com
One other note: The $_POST/$_GET etc. are not actually arrays anymore,
so if you want an array for things like array_map or other array
functions you can use the ArrayObject method $_POST->getArrayCopy()


--
Matt Read
http://mattread.com

Sean Coates

unread,
Nov 25, 2008, 2:50:21 PM11/25/08
to habar...@googlegroups.com
> One other note: The $_POST/$_GET etc. are not actually arrays anymore,
> so if you want an array for things like array_map or other array
> functions you can use the ArrayObject method $_POST->getArrayCopy()

True, though I'd strongly advise against this when writing new code,
as it essentially bypasses the protections put in place by the
SuperGlobal stuff.

See http://trac.habariproject.org/habari/changeset/2873/trunk/htdocs/system/classes/installhandler.php
for (IMO) a good example of how to properly handle this.

S

Matt Read

unread,
Nov 26, 2008, 2:21:55 AM11/26/08
to habar...@googlegroups.com

Using ArrayObject->getArrayCopy() or foreach( ArrayObject ) produces
the same result, as ArrayObject does not implement an Iterator
directly.

Rev 2887 makes SuperGlobal extend ArrayIterator instead of
ArrayObject, so the example mentioned above will use the filtered
(safe) data. Also it overloads getArrayCopy so that a filtered (safe)
array is returned (although, not recomended for consumption since it
could slow things down).

Owen Winkler

unread,
Nov 26, 2008, 8:31:38 AM11/26/08
to habar...@googlegroups.com
Matt Read wrote:
>
> Rev 2887 makes SuperGlobal extend ArrayIterator instead of
> ArrayObject, so the example mentioned above will use the filtered
> (safe) data. Also it overloads getArrayCopy so that a filtered (safe)
> array is returned (although, not recomended for consumption since it
> could slow things down).

I haven't tried it, but wouldn't that affect SuperGlobal::raw()? raw()
calls $this->getArrayCopy() which would presumably trigger the now
present public method, so none of its values would actually be "raw".
Easy to fix, I think.

Owen

Matt Read

unread,
Nov 26, 2008, 10:30:52 AM11/26/08
to habar...@googlegroups.com

Yes it will. Was late and never got to implementing something.
http://trac.habariproject.org/habari/ticket/773

Reply all
Reply to author
Forward
0 new messages