There is one form of PHP code injection that we don't need to worry about. By
default Joomla! always disables 'register globals'. In scripts where 'register globals'
is enabled, all URI query values are automatically converted into variables, literally
injecting variables into a script.
Imagine we are using an input value to determine which class to instantiate. If we
do not sanitize the incoming data, we run the risk of instantiating a class that could
be used to malicious effect. To overcome this we could use a predefined list of class
names to ensure the data is valid:
// define allowed classes
$allow = array('Monkey', 'Elephant', 'Lion');
// get the class name
$class = JRequest::getWord('class', 'Monkey', 'GET');
$class = ucfirst(strtolower($class));
Notice that we use the getWord() method to retrieve the value; this ensures that the
value only includes letters and underscores. We also modify the case of the value so
as to ensure it is in the same format as the expected value. Once we have defined the
expectable class names and retrieved the value we can validate the value:
if(!in_array($class, $allow))
{
// unknown class, use default
$class = 'Monkey';
}
Error Handling and Security
[ 330 ]
Imagine we want to execute a shell command.
Pages:
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457