[Typo3-dev] RFC: magic_quotes and TYPO3
Karsten Dambekalns
k.dambekalns at fishfarm.de
Tue Feb 10 12:44:17 CET 2004
Hi Kasper.
On 2004-02-09, Kasper Skårhøj <kasper at typo3.com> wrote:
> Since I believe it would have been cleaner that TYPO3 actually
> removed slashes regardless of magic quotes settings I now propose
> some best-practise guidelines for codes which mean that we might be
> able to move to this status in a year or two from now. And I want to
> have your comments on this before I do so.
>
> Basically, the rules are:
>
> 1) Always access GET and POST vars by a TYPO3 API function:
> 1a) t3lib_div::_GET() : will return the current global HTTP_GET_VARS (unescaped recursively)
> 1b) t3lib_div::_POST() : will return the current global HTTP_POST_VARS (unescaped recursively)
> 1c) t3lib_div::_GP($var) : will return a POST or GET var by name $var, with priority to POST (unescaped recursively)
So this would mean that all new code (or code converted to use those
functions) will get unescaped stuff, code still using GPvar() would
get the escaped values?
Fine with me, seems like a nice way to make the transition.
> are always unescaped in the global space. That would be more clean
> and faster.
Right.
> And when this is a reality we can begin to access _GET and _POST
> directly without the above mentioned API functions (which is again
> faster).
Well, we could probably stick to using those functions (thus becoming
independant of some changes that might appear in some distant future,
like $_GET being renamed to $_WHOOP or something). I think the speed
loss isn't that bad, and over time (as machines become faster) will
become more and more insignificant. And caching (and LPE, and probably
more) will solve speed problems better than switching to accessing
those variables directly (IMHO).
Summary: Ok with me, go ahead.
Karsten
More information about the TYPO3-dev
mailing list