Hello,
I'm deep in the code right now, as I'm at CERN.
First of all, thanks Sylvain and Tobias for the good work done.
The overall seems very good.
However, I'm puzzled to see some new $_COOKIE[] getting into the code, and a
few things like that. Please, read recipe #122
https://gna.org/cookbook/?func=detailitem&item_id=122
For instance, it states
"USER INPUT SANITIZATION
---------------------------
It is important to always obtain user input from sane_*() functions.
The goal is to get Savane working with register_globals set to off. Which
means all variables that can be provided as user input should not come as
global but always from sane_*() functions, like sane_post() or sane_cookie().
Gradually pages will be register_globals off compliant. The ones that are
have a call to register_globals_off() after the beginning requires. It is
absolutely forbidden to remove such call. Pages that are made compliant with
register_globals set to off should stay that way."
It may seems to you the same to use $_COOKIE[] than sane_cookie(), but it is
not. Considering the lenght of the code, it's not for tomorrow that it will
be register globals off compliant. The way to proceed is to use the sane_*()
functions that will be register globals off but that will also work with
register_globals_off(), unlike $_COOKIE[]. Each time you add a $_COOKIE[],
which would be fine if all the software was register globals off compliant,
you add one piece of code that will have to be replaced by sane_cookie().
BTW, if you rewrite a lot some pages, do not hesitate to add the
register_globals_off() on top and benefit of the change to have one more page
compliant.
Thanks!
--
Mathieu Roy
| Not everybody on earth is native english speaker, keep cool :)
| http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english
_______________________________________________
Savane-dev mailing list
[email protected]
https://mail.gna.org/listinfo/savane-dev
