#9 Some missing input validation & standard compliance

[franky]

Hi,

$d_version = '0.1.8 r647';

/* WARNING: TODO:
* this variable localization was moved here to free
the front end.
* This should be removed before any final release, but
poses less
* of a security risk here than in the front end.
* The admin area still depends heavily on this code,
and this should be addressed.
*/
foreach($_POST as $postvar => $postval){ ${$postvar} =
$postval; }
foreach($_GET as $getvar => $getval){ ${$getvar} =
$getval; }

moving this from the front to the background there are
some missing input validation.

in \components\

contact.php line 14 : if(!isset($task))$task='view';
download.php line 5 : if(!isset($task))$task='view';
guestbook.php line 32 :
...'$gb_url','$gb_country','$gb_title','".bbcode($gb_message)
login.php line 5: if(!isset($task))
registration.php line 6: if(!isset($task))$task='register';

and perhaps in banners.php line 3: global $task,$d_root;

in \includes\content.php
line 11 : global $conn,$d,$pop,$pcontent,$access_sql,$my,
there is no input validation for $pop and $pcontent

a question to the source in dracon.php.

in the php.ini i change
allow_call_time_pass_reference = Off (default)
to
allow_call_time_pass_reference = On

each calling of the function in dracon.php make
warnings in my apache log file.

quote of the phi.ini :

; Whether to enable the ability to force arguments to
be passed by reference
; at function call time. This method is deprecated and
is likely to be
; unsupported in future versions of PHP/Zend. The
encouraged method of
; specifying which arguments should be passed by
reference is in the function
; declaration. You're encouraged to try and turn this
option Off and make
; sure your scripts work properly with it in order to
ensure they will work
; with future versions of the language (you will
receive a warning each time
; you use this feature, and the argument will be passed
by value instead of by
; reference).

Now my question : why do we use a method, in the
redesign of the old limbo source, that will be
unsupported in the future ?

franky2004

[Daniel]

Logged In: YES
user_id=799761

about the first topic (uninitialized globals): you have
highlighted the missing part of this feature
http://sourceforge.net/tracker/index.php?func=detail&aid=1517734&group_id=166901&atid=840805
to be complete. It was previously attended by signaltwo, but
I think I'll have to get on it since it is not yet complete.

about your second question: it is a trivial warning, causing
real annoying messages. Code should be re-edited not to use
the & when passing parameters to dracon.php functions. Such
& operator was explicitly used for code readability, but
since they have deprecated it I agree that should no more be
used. Its presence, however, does not condition code
execution because the results are the same.

[Daniel]

Logged In: YES
user_id=799761

are now the warnings fixed?

[Daniel]

Logged In: YES
user_id=799761

Your suggestions have been fully accepted, when you have
some time please check if now they are ok