Login

Esthar · 02-15-2017, 01:54 AM

Hi,

yesterday i've done some test on the CI input class, (CI version 3.1.3), and i've noticed that the superglobal arrays keys are filtered by regexp for $_COOKIE, $_POST and $_GET.

The problem is, the if: (($cookie_key = $this->_clean_input_keys($key)) !== FALSE), (row 642, core/input.php), that unset from the superglobal array if not allowed chars are found in the key, is present only for $_COOKIE keys, $_POST and $_GET keys are not veryfied on rows: 613 & 622.

I had test for $_POST and $_GET inserting disallowed chars inside they keys, and those chars are not filtered at all.

Is that a bug or a devolpment choice?

Second question,

why filter by regexp the keys of superglobal array? Is not better to filter values of the superglobal instead?

Thank you,

bye.

***Narf*** · 02-15-2017, 02:19 AM

1. Not a bug, and this entire thing is going away in version 3.2.
2. Keys are values.

Esthar · 02-15-2017, 02:33 AM

1. ok
2. what do you mean with 'keys are values' ? in a superglobal array: $_POST['foo'] = foo2, the filter is for foo, not for foo2, if i write $_POST['foo'] = !*èbjck$%, the key is ok, but the value associated not.

thank you

***Narf*** · 02-15-2017, 03:28 AM

Code:
foreach ($_POST as $key => $value)

{

    shitty_function($key, $value); // $key is a value

}