[PHPiCalendar-DEV] validating $_POST and $_GET values

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

As part of an overall security sweep on my server, I'm thinking of 
modifying my copy of phpicalendar to test the values of all 
user-supplied variables.  I think this would involve rewriting 
init.inc.php (that's what always get's executed first, right?  I would 
use the general approach described in

http://phpsec.org/projects/guide/1.html#1.1

where the tested variables from $_REQUEST[$key] get put into an array 
called $clean['$key'], which replaces $_POST, $_GET, or $_REQUEST where 
appropriate.  This would mean modifying not only init.inc.php, but also 
all files that use superglobals directly.

I don't actually think there are currently security exploits for 
phpicalendar, and I'm not sure how anyone would create one, but I've 
been feeling paranoid, and I've been doing this for all my other code.  
Any thoughts?  Is there are reason not to do this?  It will not be 
compatible with versions of php prior to 4.1.0.

Jim Hu