jtgoltz
commented
4 years ago Thank you for raising that point. We'll get rid of $_POST and $_GET, but I don't think that there is a good alternative for $_SERVER['REQUEST_METHOD']
Closed mudrd8mz closed 4 years ago
jtgoltz
commented
4 years ago Thank you for raising that point. We'll get rid of $_POST and $_GET, but I don't think that there is a good alternative for $_SERVER['REQUEST_METHOD']
mudrd8mz
commented
4 years ago In your case, it seems you could use the moodle's core function data_submitted() eventually followed by the clean_param() call to sanitise the input, e.g. PARAM_INT for the userId etc.
jtgoltz
commented
4 years ago data_submitted is exactly what we needed. Thanks a lot!
Moodle plugins should nor read data directly from superglobals such as
$_POSTor$_GETand the input parameters processing helpers should be used - especially when the expected type of the input is known (such as integer).Please review verifyToken.php and prelogout.php to see if these can be replaced there with something like
required_param()and appropriate param type such asPARAM_URL.