Checking of passed variables
Passing to PHP scripts can be easily manipulated by attackers. For this purpose, only the URL must be manipulated in accordance with the variable in the browser. For this reason it is very important that all passed variables are tested prior to use in the script to appropriate values.
Admidio generally handles all passed $_GET and $_POST variables with the functions strip_tags and addslashes. Thus it is not possible on the one hand to put HTML code in a variable, and on other side perform SQL injection.
To test the passed variable the function admFuncvariableIsValid is available. The values of passed values should then be assigned to a new local variable with the prefix get. Does the passed variable has the name $_GET['headline'], so the local variable should be named $getHeadline. So you can see in the code directly that the value comes from a passed variable and you handle the content optionally careful.
Function admFuncVariableIsValid
File:
adm_program/system/function.php
Version:
2.3
Description
The function checks from an array variable on plausible values. The test may be refined over more parameters.
value admFuncVariableIsValid($array, $variableName, $type, $defaultValue = null, $requireValue = false, $validValues = null, $directOutput = false)
Parameter
- array The array (for example, $ _GET or $ _POST), which contains the variable to be tested
- variableName Name of the variable from the array which is to be tested
- type Type of the variable
numeric
,string
,boolean
andfile
. Depending on the type, different tests are made on the value of the variable and possibly output a notice if the variable does not match the type - defaultValue If no value is passed to the script for the variable, the variable is initialized with this value
- requireValue Is this set to true, a message is shown if the variable was passed without value
- validValues An array with valid values for the variable. If the passed value is not included in this array a notice is issued.
- directOutput If this value is set to true, then an error message is not returned as an HTML page, but the error text will be output unformatted directly by echo.
Return
It returns the value of the variable. For texts, the function here additionally strip_tags is performed, that removes HTML tags.
Examples
// Number, which is optionally initialized to 0 $getDatId = admFuncVariableIsValid($_GET, 'dat_id', 'numeric', 0); // Text which is optionally initialized with DAT_DATES $getHeadline = admFuncVariableIsValid($_GET, 'headline', 'string', $gL10n->get('DAT_DATES')); // Text which is optionally initialized with 'actual' and only the values 'actual' and 'old' must be included $getMode = admFuncVariableIsValid($_GET, 'mode', 'string', 'actual', false, array('actual', 'old'));