Passing to PHP scripts can be easily manipulated by attackers. For this purpose, only the URL must be manipulated in accordance with the variable in the browser. For this reason it is very important that all passed variables are tested prior to use in the script to appropriate values.
Admidio generally handles all passed $_GET and $_POST variables with the functions strip_tags and addslashes. Thus it is not possible on the one hand to put HTML code in a variable, and on other side perform SQL injection.
To test the passed variable the function admFuncvariableIsValid is available. The values of passed values should then be assigned to a new local variable with the prefix get. Does the passed variable has the name $_GET['headline'], so the local variable should be named $getHeadline. So you can see in the code directly that the value comes from a passed variable and you handle the content optionally careful.
File: adm_program/system/function.php
Version: 2.3
The function checks from an array variable on plausible values. The test may be refined over more parameters.
value admFuncVariableIsValid($array, $variableName, $type, $defaultValue = null, $requireValue = false, $validValues = null, $directOutput = false)
numeric , string , boolean and file . Depending on the type, different tests are made on the value of the variable and possibly output a notice if the variable does not match the typeIt returns the value of the variable. For texts, the function here additionally strip_tags is performed, that removes HTML tags.
// Number, which is optionally initialized to 0 $getDatId = admFuncVariableIsValid($_GET, 'dat_id', 'numeric', 0); // Text which is optionally initialized with DAT_DATES $getHeadline = admFuncVariableIsValid($_GET, 'headline', 'string', $gL10n->get('DAT_DATES')); // Text which is optionally initialized with 'actual' and only the values 'actual' and 'old' must be included $getMode = admFuncVariableIsValid($_GET, 'mode', 'string', 'actual', false, array('actual', 'old'));