[pLog-svn] r6443 - plog/branches/lifetype-1.2/templates/admin

[Jon Daley]

On Mon, 5 May 2008, Reto Hugi wrote:
> On 05/05/2008 09:08 PM, Jon Daley wrote:
>> On Mon, 5 May 2008, Reto Hugi wrote:
>>> now, what I'm trying to do right now is filtering all the params in
>>> admintemplatedview.class.php before it get's assigned to smarty. I think
>>> this way, we have filtered out all requests right before the output to
>>> the browser, and that's exactly where we should do the filtering.
>>> everything else on a higher level should only be validation (but strict
>>> validation, so that only really acceptable data get's processed!)
>>
>>  	Do you know what type of filtering to apply at that level?  ie. is
>> there different filtering based on what object it is?
>
> I'd use filterAllHTML() on all request variables. I don't see, where
> that should be a problem at the moment.
>
> My problem is, that probably admintemplatedview.class.php is not the
> right place. Because the array $this->_params->getAsArray()
> has all the properties (that's a lot of data that gets passed to smarty
> here!).
>
> Unfortunately the Request Class extends the Properties Class which means
> requests are like properties on and I can't distinguish them in
> admintemplatedview.class.php.
>
> Again, I wouldn't want to filter anything else but the request vars.

 	You do need to make sure to filter it before it gets saved to the 
database, right?