Warning "Do Not Access Superglobal $_Post Array Directly" on Netbeans 7.4 For PHP

  • Home
  • Languages
  • PHP
  • Warning "Do Not Access Superglobal $_Post Array Directly" on Netbeans 7.4 For PHP

Warning Do not Access Superglobal $_POST Array Directly on Netbeans 7.4 for PHP

filter_input(INPUT_POST, 'var_name') instead of $_POST['var_name']

filter_input_array(INPUT_POST) instead of $_POST

Do not Access Superglobal $_REQUEST Array Directly. Netbeans 8.0 PHP

So I start looking into fliter_input() however it is not yet implemented for $_REQUEST. This seems like a little bit of a dead end.

I'd say it is not a dead end but on purpose. filter_input() requires you to clearly specify the input type. $_REQUEST is not clear about it, it contains input from various sources, allowing one source overwriting another.

Next to that this is also not what the warning precisely wants to tell you. Swapping a superglobal like $_GET with an equally superglobal function like filter_input(INPUT_GET, ...) shows the same design flaw. But Netbeans can't warn you as easily about it.

And getting rid of superglobals is already a good idea.

Instead, inject input data to your application at a low-level place, e.g. bootstrapping the request information and do not use any superglobals nor the filter_input function in the rest of your code.

That will allow you to easily simulate any request method without even having an actual request.

Do not Access Superglobal $_REQUEST Array Directly

My question is what would be the best-practice methods for doing the
above differently/correctly?

The example JavaScript you gave used a GET request. The "correct" way to access the parameters would be through PHP's $_GET array. Using $_REQUEST is a bad habit because you lose control over how the data arrived. I'll give you a simple example:

Websites that use token base authentication often require that you send the token as POST data. If it is considered insecure to exchange private info through URL parameter, a PHP script that gets the data from $_REQUEST has no way to know how the data arrived, and will mistakenly accept a badly sent token. A better script would look for the token in $_POST. If it's not there, then there is no token; even if a user tried to send it in the url.

I read somewhere that this is not good in terms of being vulnerable to
SQL injection attacks etc.

SQL injection doesn't have to do with $_REQUEST specifically. It can occur whenever you insert user submitted data directly in your SQL queries, whether the data came from $_REQUEST, $_GET, a file... This terrible code design allows an attacker to take control of your SQL and instruct your DB to execute whatever command he or she wishes (eg: to exfiltrate or delete your data). To protect yourself against it, learn about prepared statements and parameterized queries

Security concern when accessing php superglobal directly

No, you can use you first method and not fill the memory with duplicate data. The only concern here is to validate it before using, and if you copy it to another variable, you need to do same on it also.


Related Topics

Manipulate a String That Is 30 Million Characters Long

PHP Class Instantiation. to Use or Not to Use the Parentheses

: Operator (The 'Elvis Operator') in PHP

MySQL Datetime Fields and Daylight Savings Time - How to Reference the "Extra" Hour

PHP MySQLi Prevent SQL Injection

Is There a PHP Library For Email Address Validation

PHP: Merge 2 Multidimensional Arrays

How to Loop Through a MySQL Result Set

Simple Postgresql Statement - Column Name Does Not Exists

Can HTML Be Embedded Inside PHP "If" Statement

How to Validate Array in Laravel

PHP Replacing Multiple Spaces With a Single Space

How to Access a Property With an Invalid Name

Best Way to Do Multiple Constructors in PHP

Correct PHP Headers For Pdf File Download

How to Insert Element into Arrays At Specific Position

Best Way to Test For a Variable'S Existence in PHP; Isset() Is Clearly Broken

Recursive Array_Diff()


Leave a reply



Submit