PHP and Super Global Arrays

Posted by kris on February 03, 2008

The problem with the PHP super global arrays, such as $_GET and $_POST is they contain the raw query parameters that the browser passes. I’ve seen more than my fair share of abuse when fixing clients apps where they have not properly sanitized user input, which leads to SQL inject and XSS attacks. This is MY cms though, so why does it matter? Well, I plan on releasing the CMS to the general public, and I want to make sure that users who develop plugins follow a strict development guidelines.I created a Request class which loads$_GET and $_POST into class members, sanitizes them, and makes them accessible via:

Code: php
  1.  
  2. Request::get(’key’, ‘default value’);
  3. Request::post(’key’, ‘default value’);

This will allow you to fetch a get or post variable, and if it doesn’t exist, return a default value. I then would delete the $_GET and $_POST vars so they’re not accessible at all, therefor forcing users to use the Request class to get passed in parameters. This ensures any user submitted data is sanitized before it reaches any real code.

This is not set in concrete as of yet, but I like the way this sounds. It’s difficult to find a CMS that has strict enough guidelines with an emphasis on security not just on the backend, but on user submitted plugins/modules as well.

Opinion? Suggestions?

Trackbacks

Use this link to trackback from your own site.

Comments

Leave a response

  1. Mason Fri, 07 Mar 2008 01:27:58 PST

    +1

Comments

Close
E-mail It