fastcgipp-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: [Fastcgipp-users] Re: form handler crashing if posts key missin

From: Axel von Bertoldi
Subject: Re: Re: [Fastcgipp-users] Re: form handler crashing if posts key missing
Date: Wed, 6 Jan 2010 16:17:56 -0700
Added a fix for this in get-post-data-support branch. Eddie, I'll leave it to your discretion to review and merge it with master.

@Mike, the correct/safe way to fetch post (or get) variables is with Environment::requestVarGet() (instead of your original example)

Cheers,
a.

On Tue, Jan 5, 2010 at 10:51 PM, <address@hidden> wrote:
Yes, you are pushing the limits of my current grasp on fastcgi++ internals, but I
am starting to read the code and know my way around.

I think a straightforward way to check for the existence of a key regardless of
enctype is useful for server-side validation because end users can never be
relied upon to do anything sanely or as requested. Client-side _javascript_
validation would help a bit, but a malicious user or user with _javascript_
disabled could still potentially bring the site down by submitting blank fields.

BTW, just to clarify: the three fields I have in my contact form are all form
data (type="text", textarea) rather than file data (type="file"), unless I have
not understood you correctly.

Mike

On Wed 06/01/10 10:59 AM , Axel von Bertoldi address@hidden sent:
> Hi there,
>
> Just looked at the relevant code and have found the problem; its
> related to Post::Type. Its not a difficult problem to fix, but might
> be hard to explain so bare with me. Environment::requestVarExists
> checks if post data exists for the associated key and will return true
> if the post data is of type Post::Type::file or Post::Type::form.
> Environment::requestVarGet also checks if post data exists for the
> associated key before retrieving it. However, when I wrote
> requestVarGet I assumed it would only be used for Post::Type::form
> data. I think that was a faulty assumption. So requestVarGet and
> requestVarExists are not consistent.
>
> Mike, strangely, in your above example you have made the same mistake
> I did; you check the existence of post data for the given key, and
> then assume its Post::Type::form data. If its not,
> environment.posts["name"].value will be undefined (or empty, Eddie?)
> and you get a crasher.
>
> So, the solution is to make Environment::requestVarExists and
> Environment::requestVarGet consistent.
>
> Option 1: Change requestVarExists to return true if a value for the
> key exists AND the data is of type Post::Type::form
> Option 2: Change requestVarGet to return the shared array at
> Post::data if the data for the associated key is of type
> Post::Type::file.
>
> Eddie, do you have a preference? I suspect #2 would be more useful.
>
> Cheers,
> axel.




reply via email to
[Prev in Thread] Current Thread [Next in Thread]