eviL<3 wrote:This is probably the largest commit i have ever seen.
We've got a new one!
http://code.phpbb.com/repositories/revision/5?rev=9101
Introducing the new request class. All input his handled through this class.
"Given a choice between dancing pigs and security, users will pick
dancing pigs every time." (Gary McGraw and Edward Felten)
What stays the same?
- request_var() keeps working as it used to, alternatively you can directly use
request::variable() which allows choosing which super global you want to read
So what’s new?
- request::disable_super_globals() which disables super globals. This
function causes any direct use of $_POST, $_GET, $_REQUEST or $_COOKIE to
result in an E_USER_ERROR. We hope that this will force MOD authors to at
least think about validation as they will have to read about how to use the
request class.
- request::is_set() / request::is_set_post will be used instead of using isset
directly on super globals
- request_var() now supports arrays with arbitrary depth
- request_var() can be used with an array as the variable name to directly
access values in mutli dimensional arrays.
What’s next?
- request::disable_super_globals() will be active by default (set in
common.php)
- all code will be adjusted to use the new class consistently
- tests for the request class to make sure it works as designed and will not
change behaviour between releases
I’ve also already updated all the code within functions.php to use the request class.