Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 06-22-2004, 11:09 PM
Jakeman's Avatar
Jakeman Jakeman is offline
 
Join Date: Nov 2001
Posts: 273
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default need clarification on coding standards

I have been working on my new site for several months now. I have been making extensive use of $_POST and $_REQUEST in some of my custom scripts.

I just came across the "code standards" section of the vB3 documentation - http://www.vbulletin.com/docs/html/codestandards_gpc

Quote:
$_GET and $_POST variables should be run through the globalize() function in order to ensure that they have evil magic quotes removed from them before being used, with the exception of $_REQUEST['do'] and $_POST['do'], which is used as the controlling variable for deciding which branch of a script is executed. Do not use $_GET / $_POST / $_REQUEST etc. variables in templates.
1) What are magic quotes and why are they evil?

2) I have been using $_POST and $_REQUEST in the templates. Is this horribly wrong or is it just a harmless thing like some of the other coding standards?
Reply With Quote
  #2  
Old 06-23-2004, 10:20 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

1/ When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

2/ There's nothing wrong with it but it's a little redundant. If you use the globalize function as other vB pages do then you can use the unglobalized variable version which in general just makes it cleaner code.

Good luck !
Reply With Quote
  #3  
Old 06-23-2004, 05:48 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

as an addition to 2)

it's not recommended to use $_REQUEST or $_POST variables directly in templates, because they can be directly edited by the user (just a html change and you can have some bad things in )
it's not very problematical, as normally it couldn't hurt on templates, but just to be on the save side, it's better to always use the globalize() function and then use the globalized vars in templates.
Reply With Quote
  #4  
Old 06-24-2004, 04:57 AM
Jakeman's Avatar
Jakeman Jakeman is offline
 
Join Date: Nov 2001
Posts: 273
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

oic

I validate all REQUEST and POST data very carefully, so I don't think I'm in any danger of injection.

Is the magic quotes thing the same as magic_quotes_gpc? I already use this code when I addslashes to POST data:

PHP Code:
    // IF M_Q_GPC IS NOT ENABLED, THEN PARSE FOR INJECTION
    // M_Q_GPC AUTOMATICALLY PARSES ALL POSTED DATA IF ENABLED
    
if (!get_magic_quotes_gpc())
    {
        
$_POST['var'] = addslashes($_POST['var']);
    } 
So I think I have that covered.
Reply With Quote
  #5  
Old 06-24-2004, 11:54 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Even the best coders can make slip ups which lead to injection The code you've posted above doesn't quite make sense to me. What i'd do is this:

PHP Code:
    if (!get_magic_quotes_gpc()) 
    {
        foreach(
$_POST AS $postkey => $postval)
        {
            if(
is_string($postval))
            {
                
$_POST["$postkey"] = addslashes($postval);
            }
        }
    } 
But doesn't vB3 do all this automatically :s? You can just use the globalize function anyway to do all what I posted above. And it helps clean up strings, arrays, files and integers too
Reply With Quote
  #6  
Old 06-25-2004, 06:08 PM
Jakeman's Avatar
Jakeman Jakeman is offline
 
Join Date: Nov 2001
Posts: 273
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am handling the specific REQUEST and POST vars that I use rather than handling the whole arrays. When I add a REQUEST or POST var I add another line for it.
Reply With Quote
  #7  
Old 06-25-2004, 08:47 PM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

So if you have 3 request vars you'd have this 3 times??:

PHP Code:
// IF M_Q_GPC IS NOT ENABLED, THEN PARSE FOR INJECTION
    // M_Q_GPC AUTOMATICALLY PARSES ALL POSTED DATA IF ENABLED
    
if (!get_magic_quotes_gpc())
    {
        
$_POST['var'] = addslashes($_POST['var']);
    } 
Reply With Quote
  #8  
Old 06-25-2004, 10:25 PM
Jakeman's Avatar
Jakeman Jakeman is offline
 
Join Date: Nov 2001
Posts: 273
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

PHP Code:
    // IF M_Q_GPC IS NOT ENABLED, THEN PARSE FOR INJECTION
    // M_Q_GPC AUTOMATICALLY PARSES ALL POSTED DATA IF ENABLED
    
if (!get_magic_quotes_gpc())
    {
        
$_POST['var1'] = addslashes($_POST['var1']);
        
$_POST['var2'] = addslashes($_POST['var2']);
        
$_POST['var3'] = addslashes($_POST['var3']);
    } 
Reply With Quote
  #9  
Old 06-26-2004, 09:33 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok... well with vB3 you might as well use their globalize function as it does checks on other things suchs as arrays, integers, files. As well as this it also deals with the magic quotes problem so it's standard on any vBulletin installation to use it :

PHP Code:
globalize($_POST, array('posthash' => STR_NOHTML'poststarttime' => INT'stickunstick' => INT'openclose' => INT)); 
Straight from editpost.php

The first arguement to the function is either $_POST or $_REQUEST then you pass an array of $_POST/$_REQUEST values you want to validate/strip etc. If you take a look at the function in (I think) functions.php you'll see what it can validate
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:49 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04450 seconds
  • Memory Usage 2,259KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete