Jump to content

Trouble getting module validated - $_POST


mzfp

Recommended Posts

HI

 

I'm having trouble getting my module validated by the addons team even though the module passes their validator tool.  The offending code is below.

foreach ($_POST as $key => $value)
{
    if (strpos($key, 'unit_') !== false)
    {
         $id_ppbs_unit = explode('_', $key);
         /// ..rest of code
    }
}

The complaint is that I should use:

$id_ppbs_unit = explode('_', Tools::getValue($key)); instead of what I have above, however i need the key itself so using Tools::getValue doesn't achieve what I need it to do above

 

I wonder if this is fixable?  What confuses me is that the module was accepted the first time which had the code above, and after a version update it's now being declined (even though it passes the module validator tool as already mentioned)

 

 

Link to comment
Share on other sites

Do you make use of the value as well, or is it just the key storing the info? If so, could just set the value to be the same as the key, so you can use the getValue function to pass the validation perhaps?

 

Without seeing the rest of the code, it's hard to tell whether it's a reasonable issue or not, it might be that grabbing the keys directly is leaving your code with injection vulnerabilities, is the likely explanation

 

If that was the case, you could manually run the key through some of the protection to help, such as :

$key = stripslashes(urldecode(preg_replace('/((\%5C0+)|(\%00+))/i', '', urlencode($key))));

The other way of handling things would be to start using an array of data rather than just leaving it in basic post and looping through the lot. So you'd run getValue("units") and have a list of all the units in $_POST['units']

Link to comment
Share on other sites

Hi,

 

Thanks for your help, 

 

FullCircles, I make use of both the key and the value, the value is run through Tools::getValue as required, but of course, the key cannot be.  Your suggestion to run the key through some manual protection is worth a try, I will try that.  Failing that I'll need to modify the form data being sent, either way it's useful lesson for the future :)

 

 

Shacker, thanks but that wasn't helpful at all, Tools::getValue() works only for the element value, not the key.  I should also point out there are many places in Prestashop's core code which use the same technique as I am doing (accessing they key for elements in a $_POST array directly as there is no alternative method at present)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...