libraries/cleanup.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Functions for cleanup of user input.
   5  *
   6  * @version $Id$
   7  * @package phpMyAdmin
   8  */
   9
  10 /**
  11  * Removes all variables from request except whitelisted ones.
  12  *
  13  * @param string list of variables to allow
  14  * @return nothing
  15  * @access public
  16  * @author  Michal Cihar (michal@cihar.com)
  17  */
  18 function PMA_remove_request_vars(&$whitelist)
  19 {
  20     // do not check only $_REQUEST because it could have been overwritten
  21     // and use type casting because the variables could have become
  22     // strings
  23     $keys = array_keys(array_merge((array)$_REQUEST, (array)$_GET, (array)$_POST, (array)$_COOKIE));
  24
  25     foreach($keys as $key) {
  26         if (! in_array($key, $whitelist)) {
  27             unset($_REQUEST[$key], $_GET[$key], $_POST[$key], $GLOBALS[$key]);
  28         } else {
  29             // allowed stuff could be compromised so escape it
  30             // we require it to be a string
  31             if (isset($_REQUEST[$key]) && ! is_string($_REQUEST[$key])) {
  32                 unset($_REQUEST[$key]);
  33             }
  34             if (isset($_POST[$key]) && ! is_string($_POST[$key])) {
  35                 unset($_POST[$key]);
  36             }
  37             if (isset($_COOKIE[$key]) && ! is_string($_COOKIE[$key])) {
  38                 unset($_COOKIE[$key]);
  39             }
  40             if (isset($_GET[$key]) && ! is_string($_GET[$key])) {
  41                 unset($_GET[$key]);
  42             }
  43         }
  44     }
  45 }
  46 ?>