使用了moodle的函数下面是
这个函数的 source
/**
* Returns a particular value for the named variable, taken from
* POST or GET, otherwise returning a given default.
*
* This function should be used to initialise all optional values
* in a script that are based on parameters. Usually it will be
* used like this:
* $name = optional_param('name', 'Fred');
*
* @param string $varname the name of the parameter variable we want
* @param mixed $default the default value to return if nothing is found
* @param integer $options a bit field that specifies any cleaning needed
* @return mixed
*/
function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) { // detect_unchecked_vars addition
global $CFG;
if (!empty($CFG->detect_unchecked_vars)) {
global $UNCHECKED_VARS;
unset ($UNCHECKED_VARS->vars[$varname]);
} if (isset($_POST[$varname])) { // POST has precedence
$param = $_POST[$varname];
} else if (isset($_GET[$varname])) {
$param = $_GET[$varname];
} else {
return $default;
} return clean_param($param, $options);
}/**
* Used by {@link optional_param()} and {@link required_param()} to
* clean the variables and/or cast to specific types, based on
* an options field.
*
* @param mixed $param the variable we are cleaning
* @param integer $options a bit field that specifies the cleaning needed
* @return mixed
*/
function clean_param($param, $options) { global $CFG; if (is_array($param)) { // Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $options);
}
return $newparam;
} if (!$options) {
return $param; // Return raw value
} if ((string)$param == (string)(int)$param) { // It's just an integer
return (int)$param;
} if ($options & PARAM_CLEAN) {
$param = stripslashes($param); // Needed by kses to work fine
$param = clean_text($param); // Sweep for scripts, etc
$param = addslashes($param); // Restore original request parameter slashes
} if ($options & PARAM_INT) {
$param = (int)$param; // Convert to integer
} if ($options & PARAM_ALPHA) { // Remove everything not a-z
$param = eregi_replace('[^a-zA-Z]', '', $param);
} if ($options & PARAM_ALPHANUM) { // Remove everything not a-zA-Z0-9
$param = eregi_replace('[^A-Za-z0-9]', '', $param);
} if ($options & PARAM_ALPHAEXT) { // Remove everything not a-zA-Z/_-
$param = eregi_replace('[^a-zA-Z/_-]', '', $param);
} if ($options & PARAM_BOOL) { // Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr == 'on') {
$param = 1;
} else if ($tempstr == 'off') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
} if ($options & PARAM_NOTAGS) { // Strip all tags completely
$param = strip_tags($param);
} if ($options & PARAM_SAFEDIR) { // Remove everything not a-zA-Z0-9_-
$param = eregi_replace('[^a-zA-Z0-9_-]', '', $param);
} if ($options & PARAM_CLEANFILE) { // allow only safe characters
$param = clean_filename($param);
} if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':\\/]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
if($param == '.') {
$param = '';
}
} if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
$param = str_replace('\\\'', '\'', $param);
$param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
$param = ereg_replace('/(\./)+', '/', $param);
} if ($options & PARAM_HOST) { // allow FQDN or IPv4 dotted quad
preg_replace('/[^\.\d\w-]/','', $param ); // only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/',$param, $match)){
// confirm values are ok
if ( $match[0] > 255
|| $match[1] > 255
|| $match[3] > 255
|| $match[4] > 255 ) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif ( preg_match('/^[\w\d\.-]+$/', $param) // dots, hyphens, numbers
&& !preg_match('/^[\.-]/', $param) // no leading dots/hyphens
&& !preg_match('/[\.-]$/', $param) // no trailing dots/hyphens
) {
// all is ok - $param is respected
} else {
// all is not ok...
$param='';
}
} if ($options & PARAM_URL) { // allow safe ftp, http, mailto urls include_once($CFG->dirroot . '/lib/validateurlsyntax.php'); //
// Parameters to validateurlsyntax()
//
// s? scheme is optional
// H? http optional
// S? https optional
// F? ftp optional
// E? mailto optional
// u- user section not allowed
// P- password not allowed
// a? address optional
// I? Numeric IP address optional (can use IP or domain)
// p- port not allowed -- restrict to default port
// f? "file" path section optional
// q? query section optional
// r? fragment (anchor) optional
//
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p-f?q?r?')) {
// all is ok, param is respected
} else {
$param =''; // not really ok
}
$options ^= PARAM_URL; // Turn off the URL bit so that simple PARAM_URLs don't test true for PARAM_LOCALURL
} if ($options & PARAM_LOCALURL) {
// assume we passed the PARAM_URL test...
// allow http absolute, root relative and relative URLs within wwwroot
if (!empty($param)) {
if (preg_match(':^/:', $param)) {
// root-relative, ok!
} elseif (preg_match('/^'.preg_quote($CFG->wwwroot, '/').'/i',$param)) {
// absolute, and matches our wwwroot
} else {
// relative - let's make sure there are no tricks
if (validateUrlSyntax($param, 's-u-P-a-p-f+q?r?')) {
// looks ok.
} else {
$param = '';
}
}
}
} if ($options & PARAM_CLEANHTML) {
$param = stripslashes($param); // Remove any slashes
$param = clean_text($param); // Sweep for scripts, etc
$param = trim($param); // Sweep for scripts, etc
} return $param;
}在moodle编码规范中,出与安全考虑,要求
用optional_param()
代替$_GET $_POST $_REQUEST,
这个函数的 source
/**
* Returns a particular value for the named variable, taken from
* POST or GET, otherwise returning a given default.
*
* This function should be used to initialise all optional values
* in a script that are based on parameters. Usually it will be
* used like this:
* $name = optional_param('name', 'Fred');
*
* @param string $varname the name of the parameter variable we want
* @param mixed $default the default value to return if nothing is found
* @param integer $options a bit field that specifies any cleaning needed
* @return mixed
*/
function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) { // detect_unchecked_vars addition
global $CFG;
if (!empty($CFG->detect_unchecked_vars)) {
global $UNCHECKED_VARS;
unset ($UNCHECKED_VARS->vars[$varname]);
} if (isset($_POST[$varname])) { // POST has precedence
$param = $_POST[$varname];
} else if (isset($_GET[$varname])) {
$param = $_GET[$varname];
} else {
return $default;
} return clean_param($param, $options);
}/**
* Used by {@link optional_param()} and {@link required_param()} to
* clean the variables and/or cast to specific types, based on
* an options field.
*
* @param mixed $param the variable we are cleaning
* @param integer $options a bit field that specifies the cleaning needed
* @return mixed
*/
function clean_param($param, $options) { global $CFG; if (is_array($param)) { // Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $options);
}
return $newparam;
} if (!$options) {
return $param; // Return raw value
} if ((string)$param == (string)(int)$param) { // It's just an integer
return (int)$param;
} if ($options & PARAM_CLEAN) {
$param = stripslashes($param); // Needed by kses to work fine
$param = clean_text($param); // Sweep for scripts, etc
$param = addslashes($param); // Restore original request parameter slashes
} if ($options & PARAM_INT) {
$param = (int)$param; // Convert to integer
} if ($options & PARAM_ALPHA) { // Remove everything not a-z
$param = eregi_replace('[^a-zA-Z]', '', $param);
} if ($options & PARAM_ALPHANUM) { // Remove everything not a-zA-Z0-9
$param = eregi_replace('[^A-Za-z0-9]', '', $param);
} if ($options & PARAM_ALPHAEXT) { // Remove everything not a-zA-Z/_-
$param = eregi_replace('[^a-zA-Z/_-]', '', $param);
} if ($options & PARAM_BOOL) { // Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr == 'on') {
$param = 1;
} else if ($tempstr == 'off') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
} if ($options & PARAM_NOTAGS) { // Strip all tags completely
$param = strip_tags($param);
} if ($options & PARAM_SAFEDIR) { // Remove everything not a-zA-Z0-9_-
$param = eregi_replace('[^a-zA-Z0-9_-]', '', $param);
} if ($options & PARAM_CLEANFILE) { // allow only safe characters
$param = clean_filename($param);
} if ($options & PARAM_FILE) { // Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':\\/]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
if($param == '.') {
$param = '';
}
} if ($options & PARAM_PATH) { // Strip all suspicious characters from file path
$param = str_replace('\\\'', '\'', $param);
$param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
$param = ereg_replace('/(\./)+', '/', $param);
} if ($options & PARAM_HOST) { // allow FQDN or IPv4 dotted quad
preg_replace('/[^\.\d\w-]/','', $param ); // only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/',$param, $match)){
// confirm values are ok
if ( $match[0] > 255
|| $match[1] > 255
|| $match[3] > 255
|| $match[4] > 255 ) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif ( preg_match('/^[\w\d\.-]+$/', $param) // dots, hyphens, numbers
&& !preg_match('/^[\.-]/', $param) // no leading dots/hyphens
&& !preg_match('/[\.-]$/', $param) // no trailing dots/hyphens
) {
// all is ok - $param is respected
} else {
// all is not ok...
$param='';
}
} if ($options & PARAM_URL) { // allow safe ftp, http, mailto urls include_once($CFG->dirroot . '/lib/validateurlsyntax.php'); //
// Parameters to validateurlsyntax()
//
// s? scheme is optional
// H? http optional
// S? https optional
// F? ftp optional
// E? mailto optional
// u- user section not allowed
// P- password not allowed
// a? address optional
// I? Numeric IP address optional (can use IP or domain)
// p- port not allowed -- restrict to default port
// f? "file" path section optional
// q? query section optional
// r? fragment (anchor) optional
//
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p-f?q?r?')) {
// all is ok, param is respected
} else {
$param =''; // not really ok
}
$options ^= PARAM_URL; // Turn off the URL bit so that simple PARAM_URLs don't test true for PARAM_LOCALURL
} if ($options & PARAM_LOCALURL) {
// assume we passed the PARAM_URL test...
// allow http absolute, root relative and relative URLs within wwwroot
if (!empty($param)) {
if (preg_match(':^/:', $param)) {
// root-relative, ok!
} elseif (preg_match('/^'.preg_quote($CFG->wwwroot, '/').'/i',$param)) {
// absolute, and matches our wwwroot
} else {
// relative - let's make sure there are no tricks
if (validateUrlSyntax($param, 's-u-P-a-p-f+q?r?')) {
// looks ok.
} else {
$param = '';
}
}
}
} if ($options & PARAM_CLEANHTML) {
$param = stripslashes($param); // Remove any slashes
$param = clean_text($param); // Sweep for scripts, etc
$param = trim($param); // Sweep for scripts, etc
} return $param;
}在moodle编码规范中,出与安全考虑,要求
用optional_param()
代替$_GET $_POST $_REQUEST,
返回$_GET/$_POST来得值,并且Convert to integer 默认值为0