Warning Do not Access Superglobal $_POST Array Directly on Netbeans 7.4 for PHP
filter_input(INPUT_POST, 'var_name')
instead of $_POST['var_name']
filter_input_array(INPUT_POST)
instead of $_POST
Do not Access Superglobal $_REQUEST Array Directly. Netbeans 8.0 PHP
So I start looking into
fliter_input()
however it is not yet implemented for$_REQUEST
. This seems like a little bit of a dead end.
I'd say it is not a dead end but on purpose. filter_input()
requires you to clearly specify the input type. $_REQUEST
is not clear about it, it contains input from various sources, allowing one source overwriting another.
Next to that this is also not what the warning precisely wants to tell you. Swapping a superglobal like $_GET
with an equally superglobal function like filter_input(INPUT_GET, ...)
shows the same design flaw. But Netbeans can't warn you as easily about it.
And getting rid of superglobals is already a good idea.
Instead, inject input data to your application at a low-level place, e.g. bootstrapping the request information and do not use any superglobals nor the filter_input
function in the rest of your code.
That will allow you to easily simulate any request method without even having an actual request.
Do not Access Superglobal $_REQUEST Array Directly
My question is what would be the best-practice methods for doing the
above differently/correctly?
The example JavaScript you gave used a GET
request. The "correct" way to access the parameters would be through PHP's $_GET
array. Using $_REQUEST
is a bad habit because you lose control over how the data arrived. I'll give you a simple example:
Websites that use token base authentication often require that you send the token as POST
data. If it is considered insecure to exchange private info through URL parameter, a PHP script that gets the data from $_REQUEST
has no way to know how the data arrived, and will mistakenly accept a badly sent token. A better script would look for the token in $_POST
. If it's not there, then there is no token; even if a user tried to send it in the url.
I read somewhere that this is not good in terms of being vulnerable to
SQL injection attacks etc.
SQL injection doesn't have to do with $_REQUEST
specifically. It can occur whenever you insert user submitted data directly in your SQL queries, whether the data came from $_REQUEST
, $_GET
, a file... This terrible code design allows an attacker to take control of your SQL and instruct your DB to execute whatever command he or she wishes (eg: to exfiltrate or delete your data). To protect yourself against it, learn about prepared statements and parameterized queries
Security concern when accessing php superglobal directly
No, you can use you first method and not fill the memory with duplicate data. The only concern here is to validate it before using, and if you copy it to another variable, you need to do same on it also.
Related Topics
Manipulate a String That Is 30 Million Characters Long
PHP Class Instantiation. to Use or Not to Use the Parentheses
: Operator (The 'Elvis Operator') in PHP
MySQL Datetime Fields and Daylight Savings Time - How to Reference the "Extra" Hour
PHP MySQLi Prevent SQL Injection
Is There a PHP Library For Email Address Validation
PHP: Merge 2 Multidimensional Arrays
How to Loop Through a MySQL Result Set
Simple Postgresql Statement - Column Name Does Not Exists
Can HTML Be Embedded Inside PHP "If" Statement
How to Validate Array in Laravel
PHP Replacing Multiple Spaces With a Single Space
How to Access a Property With an Invalid Name
Best Way to Do Multiple Constructors in PHP
Correct PHP Headers For Pdf File Download
How to Insert Element into Arrays At Specific Position
Best Way to Test For a Variable'S Existence in PHP; Isset() Is Clearly Broken