Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.4
-
Fix Version/s: 4.7.30
-
Component/s: Core CiviCRM
-
Labels:
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:Developer Doc
-
Funding Source:Contributed Code
Description
CRM_Utils_Request::retrieve() has several peculiarities. Some notes from IRC chat about this today.
CRM_Utils_Request::retrieve($name, $type, &$store = NULL, $abort = FALSE, $default = NULL, $method = 'REQUEST')
- Because of the parameter order, specifying retrieving from $_POST or $_GET requires supplying parameters for $name (OK), $type (OK), $store (why?), $abort, $default first.
- Storage should be explicit.
- $store is by reference but defaults to NULL; you can't pass NULL in (so we have CRM_Core_DAO::$_nullObject as a workaround)
PHP (from 5.2) provides filter_input() which is clearer and does most of what we need this function to do.
IMO it is not the job of input validators to provide escaping. On input we should reject unacceptable submitted data; when using data we should escape according to context (encode for SQL storage, encode to to HTML for view).
If we need to XSS escape using a library, we may want to wrap that library in a similar function.
Some inputs (eg > &) may be valid in eg an organisation name and these characters can safely be accepted and stored; doing so requires dealing with CRM-11532 to escape on output.