The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
need clarification on coding standards
I have been working on my new site for several months now. I have been making extensive use of $_POST and $_REQUEST in some of my custom scripts.
I just came across the "code standards" section of the vB3 documentation - http://www.vbulletin.com/docs/html/codestandards_gpc Quote:
2) I have been using $_POST and $_REQUEST in the templates. Is this horribly wrong or is it just a harmless thing like some of the other coding standards? |
#2
|
||||
|
||||
1/ When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
2/ There's nothing wrong with it but it's a little redundant. If you use the globalize function as other vB pages do then you can use the unglobalized variable version which in general just makes it cleaner code. Good luck ! |
#3
|
||||
|
||||
as an addition to 2)
it's not recommended to use $_REQUEST or $_POST variables directly in templates, because they can be directly edited by the user (just a html change and you can have some bad things in ) it's not very problematical, as normally it couldn't hurt on templates, but just to be on the save side, it's better to always use the globalize() function and then use the globalized vars in templates. |
#4
|
||||
|
||||
oic
I validate all REQUEST and POST data very carefully, so I don't think I'm in any danger of injection. Is the magic quotes thing the same as magic_quotes_gpc? I already use this code when I addslashes to POST data: PHP Code:
|
#5
|
||||
|
||||
Even the best coders can make slip ups which lead to injection The code you've posted above doesn't quite make sense to me. What i'd do is this:
PHP Code:
|
#6
|
||||
|
||||
I am handling the specific REQUEST and POST vars that I use rather than handling the whole arrays. When I add a REQUEST or POST var I add another line for it.
|
#7
|
||||
|
||||
So if you have 3 request vars you'd have this 3 times??:
PHP Code:
|
#8
|
||||
|
||||
PHP Code:
|
#9
|
||||
|
||||
Ok... well with vB3 you might as well use their globalize function as it does checks on other things suchs as arrays, integers, files. As well as this it also deals with the magic quotes problem so it's standard on any vBulletin installation to use it :
PHP Code:
The first arguement to the function is either $_POST or $_REQUEST then you pass an array of $_POST/$_REQUEST values you want to validate/strip etc. If you take a look at the function in (I think) functions.php you'll see what it can validate |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|