Share and be happy!

While development process of any software, programmer need not only to write clear code with clear thought-out architecture, but also he need to keep in mind all sorts of checks and incorrect user activities, such as checking incoming data from users, because your product will be used as ordinary people who can make error sending any data and attackers (in simple words — “hackers”), which will look for vulnerabilities/bugs. And in fact, in both cases, if the code vulnerability allowed — this can cause serious problems up to the financial loss, which, of course, is highly undesirable.

Usually novice programmers because of their inexperience may miss (not predict) some security notes, but we are all human, so even large corporations with an impressive staff of professional experienced programmers can not see the “holes” in their software, because even in Google Inc. and Apple were loud stories related to leakage of user data by hacking the different services of these companies.

Code security in Moodle

As with any open-source system it is constantly updated and, upon detection of critical bugs — quickly fixing, so at the moment, with the support of a community of thousands Moodle this kind of “bugs” are virtually eliminated. Another thing is Moodle plugins: they are written by enthusiasts, who, of course, needs a special thanks, their development level unknown to anyone, so before the publication of each plugin passes a certain tests by Moodle core-programmers, they know from experience what to check, for example, one of the main Moodle developers after checking another plugin wrote in his Twitter:

Checking, filtering and processing Moodle input data

Description of built-in Moodle functions for code security

    • fix_utf8mb4($value)

    • Descriptionprocess input data to utf8mb4 encoding, illegal characters will be discarded
    • $value — variable, which must lead to utf8mb4
    • clean_param($param, $type)

    • Descriptionclears the variables leads to the respective types. Uses Moodle-functions optional_param and required_param
    • File locationlib/moodlelib.php
    • $param — parameter (variable) to be processed
      • $type — the expected parameter type. Possible values:

      • PARAM_RAW — “cleans” nothing, uses the function fix_utf8mb4
      • PARAM_RAW_TRIMMED — “cleans” nothing, but cuts (trims) the extra spaces at the beginning and end of the value. Uses basic php-function trim after function fix_utf8mb4
      • PARAM_CLEANHTML — “Clears” HTML-code
      • PARAM_INT — processing value to an integer
      • PARAM_FLOAT — process value to the floating-point number
      • PARAM_ALPHA — removes all characters except lowercase letters, removes uppercase letters
      • PARAM_ALPHAEXT — removes all characters except letters, leaves uppercase and lowercase letters
      • PARAM_ALPHANUM — removes all characters except all the letters and numbers
      • PARAM_ALPHANUMEXT — removes all characters except any letters, numbers, and dashes
      • PARAM_SEQUENCE — removes all characters digits
      • PARAM_BOOL — leads to 1 (true) or 0 (false)
      • PARAM_NOTAGS — removes all HTML-tags using php-function strip_tags and fix_utf8mb4
      • PARAM_TEXT — leaves the text, removes all HTML-tags, but leaves the tags lang
      • PARAM_COMPONENT — returns the name of the component without its prefix, for example from a string mod_somecomponent will returns somecomponent
      • PARAM_SAFEDIR — if you want to return the name of the folder in Moodle, use this option, it leads the line in accordance with the rules of the folder names in Moodle
      • PARAM_SAFEPATH — the same as the PARAM_SAFEDIR, but also allowed slashes species /
      • PARAM_FILE — removes all suspicious characters from file name
      • PARAM_PATH — “clears” representation of the string and converts it into a valid path
      • PARAM_HOST — if you need to return a valid host (including IPv4-address)
      • PARAM_URL — validates URL-string
      • PARAM_PEM — validates the certificate
      • PARAM_BASE64 — decode to a base64-format
      • PARAM_TAG — returns the tagname of the HTML-string
      • PARAM_CAPABILITY — checks for capability, which coincides with the parameter
      • PARAM_AUTH — checks for authentication method
      • PARAM_LANG — check for the appropriate locale
      • PARAM_THEME — checks for the presence of an appropriate theme / template
      • PARAM_USERNAME — check for the appropriate login
      • PARAM_EMAIL — checks for compliance/valid with the proposed e-mail address
    • optional_param($parname, $default, $type)

    • Descriptionthis function handles the value superglobal php-arrays $_GET, $_POST, $_REQUEST, refer to their keys in the parameter $parname. The main feature of this function is that if superglobal php-array does not contain this key, it returns the default value $default
    • File locationlib/moodlelib.php
    • $parname — parameter name of superglobal array
    • $default — the default value if the key value is empty or does not exist
    • $typethe expected type of the parameter.
    • required_param($parname, $type)

    • Descriptionthis function is similar to optional_param, The main difference is that there is no default value, and if the desired key is not in the superglobal arrays, error/exception about this returns
    • File locationlib/moodlelib.php
    • $parname — parameter name of superglobal array
    • $typethe expected type of the parameter.
    • optional_param_array($parname, $default, $type)

    • DescriptionThis function is similar to optional_param with the only difference that the variable $parname — is the key in superglobal array and the value of this key is an array, for example $_POST[$parname] — is an array.
    • File locationlib/moodlelib.php
    • $parname — parameter name of superglobal array
    • $default — the default value if the key value is empty or does not exist
    • $typethe expected type of the parameter.
    • required_param_array($parname, $type)

    • Descriptionthis function is similar to optional_param_array, the difference is about missing parameter $default, as at required_param. If key is not isset at array, the error about this will be print.
    • File locationlib/moodlelib.php
    • $parname — parameter name of superglobal array
    • $typethe expected type of the parameter.
    • clean_param_array(array $param = null, $type, $recursive = false)

    • Descriptionthis function is similar to optional_param_array and required_param_array, but it takes as a parameter $param that is already variable (array)
    • File locationlib/moodlelib.php
    • $param — variable that will be processed
    • $typethe expected type of the parameter.
    • $recursive — if array values $param are also an array, then the value of true it will also be processed by this function recursively
    • is_number($value)

    • Descriptionchecks whether the parameter $value is integer
    • File locationlib/moodlelib.php
    • $value — variable that will be processed
    • strip_links($string)

    • Descriptionfunction returns the link anchors of HTML-code string
    • File locationlib/moodlelib.php
    • $string — the variable, HTML-code, which contains the tag a

Example

//for example, you need to get and filter somevar param from page URL: http://mymoodlesite.com/somepage.php?somevar=lenauth, record this value to variable and make request to the database
//$somevar = $_GET['somevar']; //this is wrong!!!
$somevar = optional_param('somevar', '', PARAM_ALPHA); //fine! returns lenauth
//or
$somevar = optional_param('somevar', '', PARAM_AUTH); //not only returns lenauth, but also check availability of the AUTH method

Notice

Do not use unnecessary validate/checks absolutely all data by these functions, only if the data really should be checked, because this functions uses php regular expression functions, sometimes made redundant SQL queries, which creates additional load on the server.

Comments 4
  • DavoS
      

    Thanks for functions description, very indeed! The most point about slowly Moodle load is a lot of regular expressions..

    • LMS Service
        

      Hi, i also thought about RegExp’s are make Moodle slow, and I agree with you

  • Mike
      

    Great article, Igor! Thanks! Im a nube at Moodle development and worked with $_GET array instead optional_param. If there any info about Moodle context system?

    • LMS Service
        

      Hi, Mike! No, at the clear time its nothing about Moodle context, its very big theme

Leave a Reply to LMS Service Click here to cancel the reply ×

Your email address will not be published. Required fields are marked *

Waiting feedback for mutually beneficial cooperation

Our services are b2b-oriented. We strive for high-quality Moodle services supply as it leads to higher income and satisfaction of our clients. If you have any questions or desires, please contact us.

A pop-up window

Contact us
Programming technologies Moodle: CSS3, AngularJS, Bootstrap

© 2014–2016, «LMS-Service». All rights reserved.