[Typo3-dev] RFC: magic_quotes and TYPO3
"Kasper Skårhøj"
kasper at typo3.com
Mon Feb 9 17:56:53 CET 2004
Hi folks.
You remember long time ago in PHP days;
- incoming vars were registered as globals by default
- magic_quotes were enabled by default
Today the php.ini file recommends that incoming variables are NEVER registered as globals and that magic_quotes are not enabled.
These two issues has been fixed for TYPO3 for a long time.
- For incoming values you would either access them in HTTP_GET_VARS/HTTP_POST_VARS or use t3lib_div::GPvar() (which will fetch the value from the POST array if there, otherwise from GET)
- magic_quotes has been handled in this way: IF magic_quotes were NOT enabled TYPO3 would by itself ADD these slashes on ' and ", thereby forcing the HTTP_GET_VARS and HTTP_POST_VARS to ALWAYS contain \' and \" in the two cases above.
So, TYPO3 acts consistently:
a) There are always slashes before ' and " in GET/POST vars. This is good.
b) TYPO3 should have consistently removed slashes instead. This is bad.
Since I believe it would have been cleaner that TYPO3 actually removed slashes regardless of magic quotes settings I now propose some best-practise guidelines for codes which mean that we might be able to move to this status in a year or two from now. And I want to have your comments on this before I do so.
Basically, the rules are:
1) Always access GET and POST vars by a TYPO3 API function:
1a) t3lib_div::_GET() : will return the current global HTTP_GET_VARS (unescaped recursively)
1b) t3lib_div::_POST() : will return the current global HTTP_POST_VARS (unescaped recursively)
1c) t3lib_div::_GP($var) : will return a POST or GET var by name $var, with priority to POST (unescaped recursively)
2) If you need to *set* a value in HTTP_GET_VARS globally, always use t3lib_div::_GETset() to write back the HTTP_GET_VARS array (will set both HTTP_GET_VARS and the superglobal $_GET)
3) If you access values directly in HTTP_GET_VARS/HTTP_POST_VARS you MUST only do so if your code acts if there are no slashes on the values! (It is not allowed to check magic_quotes settings since TYPO3 will normalize the arrays no matter what!)
4) If possible, group requests after input variables in an init() function of your classes - thus it is clear to see what external input your application expects.
(this will go into the Coding Guidelines if I have my way...)
The function calls from these three rules can be found underneath here (and in CVS in the end of the day).
The main idea by these rules is that IF we manage to convert all extensions of the next year or two we will be able to switch the default behavior of TYPO3 so that HTTP_GET_VARS and HTTP_POST_VARS are always unescaped in the global space. That would be more clean and faster. And when this is a reality we can begin to access _GET and _POST directly without the above mentioned API functions (which is again faster). But I see no other way than using these functions in the meantime...
Comments?
- kasper
--------------------- o ---------------------
"Mange kokke fordærver maden."
"En fugl i hånden er bedre end ti på taget."
More information about the TYPO3-dev
mailing list