Trouble getting module validated - $_POST

[mzfp]

HI

 

I'm having trouble getting my module validated by the addons team even though the module passes their validator tool.  The offending code is below.

foreach ($_POST as $key => $value)
{
    if (strpos($key, 'unit_') !== false)
    {
         $id_ppbs_unit = explode('_', $key);
         /// ..rest of code
    }
}

The complaint is that I should use:

$id_ppbs_unit = explode('_', Tools::getValue($key)); instead of what I have above, however i need the key itself so using Tools::getValue doesn't achieve what I need it to do above

 

I wonder if this is fixable?  What confuses me is that the module was accepted the first time which had the code above, and after a version update it's now being declined (even though it passes the module validator tool as already mentioned)

 

 

[FullCircles]

Do you make use of the value as well, or is it just the key storing the info? If so, could just set the value to be the same as the key, so you can use the getValue function to pass the validation perhaps?

 

Without seeing the rest of the code, it's hard to tell whether it's a reasonable issue or not, it might be that grabbing the keys directly is leaving your code with injection vulnerabilities, is the likely explanation

 

If that was the case, you could manually run the key through some of the protection to help, such as :

$key = stripslashes(urldecode(preg_replace('/((\%5C0+)|(\%00+))/i', '', urlencode($key))));

The other way of handling things would be to start using an array of data rather than just leaving it in basic post and looping through the lot. So you'd run getValue("units") and have a list of all the units in $_POST['units']

[shacker]

$_POST is forbidden

 

use

 

Tools::getValue instead

[mzfp]

Hi,

 

Thanks for your help, 

 

FullCircles, I make use of both the key and the value, the value is run through Tools::getValue as required, but of course, the key cannot be.  Your suggestion to run the key through some manual protection is worth a try, I will try that.  Failing that I'll need to modify the form data being sent, either way it's useful lesson for the future

 

 

Shacker, thanks but that wasn't helpful at all, Tools::getValue() works only for the element value, not the key.  I should also point out there are many places in Prestashop's core code which use the same technique as I am doing (accessing they key for elements in a $_POST array directly as there is no alternative method at present)

[shacker]

you can point that, but still getting the same validation error becouse a lot of preta code dnt validate. Maybe need to live with that and explain to presta the validation issue

[mzfp]

Hi Shacker, thanks and you're right I'll need to work around the problem in another way.  Appreciate your time, I'll mark this as solved.