While development process of any software, programmer need not only to write clear code with clear thought-out architecture, but also he need to keep in mind all sorts of checks and incorrect user activities, such as checking incoming data from users, because your product will be used as ordinary people who can make error sending any data and attackers (in simple words — “hackers”), which will look for vulnerabilities/bugs. And in fact, in both cases, if the code vulnerability allowed — this can cause serious problems up to the financial loss, which, of course, is highly undesirable.
Usually novice programmers because of their inexperience may miss (not predict) some security notes, but we are all human, so even large corporations with an impressive staff of professional experienced programmers can not see the “holes” in their software, because even in Google Inc. and Apple were loud stories related to leakage of user data by hacking the different services of these companies.
Code security in Moodle
As with any open-source system it is constantly updated and, upon detection of critical bugs — quickly fixing, so at the moment, with the support of a community of thousands Moodle this kind of “bugs” are virtually eliminated. Another thing is Moodle plugins: they are written by enthusiasts, who, of course, needs a special thanks, their development level unknown to anyone, so before the publication of each plugin passes a certain tests by Moodle core-programmers, they know from experience what to check, for example, one of the main Moodle developers after checking another plugin wrote in his Twitter:
When we ask #moodledev to follow the #moodle coding style, we have reasons.$a=$_REQUEST['a']; $sql = "SELECT … WHERE a={$a}";
— David Mudrák (@mudrd8mz) 19 декабря 2014
Checking, filtering and processing Moodle input data
Description of built-in Moodle functions for code security
- Description — process input data to utf8mb4 encoding, illegal characters will be discarded
$value
— variable, which must lead to utf8mb4
fix_utf8mb4($value)
- Description — clears the variables leads to the respective types. Uses Moodle-functions
optional_param
andrequired_param
- File location —
lib/moodlelib.php
$param
— parameter (variable) to be processedPARAM_RAW
— “cleans” nothing, uses the functionfix_utf8mb4
PARAM_RAW_TRIMMED
— “cleans” nothing, but cuts (trims) the extra spaces at the beginning and end of the value. Uses basic php-functiontrim
after functionfix_utf8mb4
PARAM_CLEANHTML
— “Clears” HTML-codePARAM_INT
— processing value to an integerPARAM_FLOAT
— process value to the floating-point numberPARAM_ALPHA
— removes all characters except lowercase letters, removes uppercase lettersPARAM_ALPHAEXT
— removes all characters except letters, leaves uppercase and lowercase lettersPARAM_ALPHANUM
— removes all characters except all the letters and numbersPARAM_ALPHANUMEXT
— removes all characters except any letters, numbers, and dashesPARAM_SEQUENCE
— removes all characters digitsPARAM_BOOL
— leads to 1 (true) or 0 (false)PARAM_NOTAGS
— removes all HTML-tags using php-functionstrip_tags
andfix_utf8mb4
PARAM_TEXT
— leaves the text, removes all HTML-tags, but leaves the tagslang
PARAM_COMPONENT
— returns the name of the component without its prefix, for example from a stringmod_somecomponent
will returnssomecomponent
PARAM_SAFEDIR
— if you want to return the name of the folder in Moodle, use this option, it leads the line in accordance with the rules of the folder names in MoodlePARAM_SAFEPATH
— the same as thePARAM_SAFEDIR
, but also allowed slashes species/
PARAM_FILE
— removes all suspicious characters from file namePARAM_PATH
— “clears” representation of the string and converts it into a valid pathPARAM_HOST
— if you need to return a valid host (including IPv4-address)PARAM_URL
— validates URL-stringPARAM_PEM
— validates the certificatePARAM_BASE64
— decode to a base64-formatPARAM_TAG
— returns the tagname of the HTML-stringPARAM_CAPABILITY
— checks for capability, which coincides with the parameterPARAM_AUTH
— checks for authentication methodPARAM_LANG
— check for the appropriate localePARAM_THEME
— checks for the presence of an appropriate theme / templatePARAM_USERNAME
— check for the appropriate loginPARAM_EMAIL
— checks for compliance/valid with the proposed e-mail address
$type
— the expected parameter type. Possible values:
clean_param($param, $type)
- Description — clears the variables leads to the respective types. Uses Moodle-functions
- Description — this function handles the value superglobal php-arrays $_GET, $_POST, $_REQUEST, refer to their keys in the parameter
$parname
. The main feature of this function is that if superglobal php-array does not contain this key, it returns the default value$default
- File location —
lib/moodlelib.php
$parname
— parameter name of superglobal array$default
— the default value if the key value is empty or does not exist$type
— the expected type of the parameter.
optional_param($parname, $default, $type)
- Description — this function handles the value superglobal php-arrays $_GET, $_POST, $_REQUEST, refer to their keys in the parameter
- Description — this function is similar to
optional_param
, The main difference is that there is no default value, and if the desired key is not in the superglobal arrays, error/exception about this returns - File location —
lib/moodlelib.php
$parname
— parameter name of superglobal array$type
— the expected type of the parameter.
required_param($parname, $type)
- Description — this function is similar to
- Description — This function is similar to
optional_param
with the only difference that the variable$parname
— is the key in superglobal array and the value of this key is an array, for example$_POST[$parname]
— is an array. - File location —
lib/moodlelib.php
$parname
— parameter name of superglobal array$default
— the default value if the key value is empty or does not exist$type
— the expected type of the parameter.
optional_param_array($parname, $default, $type)
- Description — This function is similar to
- Description — this function is similar to
optional_param_array
, the difference is about missing parameter$default
, as at required_param. If key is not isset at array, the error about this will be print. - File location —
lib/moodlelib.php
$parname
— parameter name of superglobal array$type
— the expected type of the parameter.
required_param_array($parname, $type)
- Description — this function is similar to
- Description — this function is similar to
optional_param_array
andrequired_param_array
, but it takes as a parameter$param
that is already variable (array) - File location —
lib/moodlelib.php
$param
— variable that will be processed$type
— the expected type of the parameter.$recursive
— if array values$param
are also an array, then the value oftrue
it will also be processed by this function recursively
clean_param_array(array $param = null, $type, $recursive = false)
- Description — this function is similar to
- Description — checks whether the parameter
$value
is integer - File location —
lib/moodlelib.php
$value
— variable that will be processed
is_number($value)
- Description — checks whether the parameter
- Description — function returns the link anchors of HTML-code string
- File location —
lib/moodlelib.php
$string
— the variable, HTML-code, which contains the taga
strip_links($string)
Example
//for example, you need to get and filter somevar param from page URL: http://mymoodlesite.com/somepage.php?somevar=lenauth, record this value to variable and make request to the database //$somevar = $_GET['somevar']; //this is wrong!!! $somevar = optional_param('somevar', '', PARAM_ALPHA); //fine! returns lenauth //or $somevar = optional_param('somevar', '', PARAM_AUTH); //not only returns lenauth, but also check availability of the AUTH method
Notice
Do not use unnecessary validate/checks absolutely all data by these functions, only if the data really should be checked, because this functions uses php regular expression functions, sometimes made redundant SQL queries, which creates additional load on the server.
DavoS
Thanks for functions description, very indeed! The most point about slowly Moodle load is a lot of regular expressions..
LMS Service
Hi, i also thought about RegExp’s are make Moodle slow, and I agree with you
Mike
Great article, Igor! Thanks! Im a nube at Moodle development and worked with $_GET array instead optional_param. If there any info about Moodle context system?
LMS Service
Hi, Mike! No, at the clear time its nothing about Moodle context, its very big theme