douyong1285 2014-04-28 01:12
浏览 99
已采纳

“不要直接访问Superglobal $ _REQUEST数组。”Netbeans 8.0 PHP

This questions is being asked after having read a few others.

Do not access superglobal $_GET array directly

“Do not Access Superglobal $_SERVER Array Directly” on Netbeans 7.4 for PHP

Why is filter_input() incomplete?

I have loaded up the latest version Netbeans 8.0 and I have seen a warning

Do not Access Superglobal $_REQUEST Array Directly.

Great, I am happy to be shown when I am doing something which can be improved upon, so I look at the hints.

The suggestion is quite simple.

Use some filtering functions instead (e.g. filter_input(), conditions with is_*() functions, etc.).

So I start looking into fliter_input() however it is not yet implemented for $_REQUEST. This seems like a little bit of a dead end.

Then I read something which was quite helpful from (@bobince) "At the start of your script when you're filtering, you don't know where your input is going to end up, so you don't know how to escape it."

It reminded me, I know exactly where my input is going to end up, and exactly what it will be used for. So, I wanted to ask everyone if the approach I am going to take is essentially safe.

I am designing a REST-ish API and I am using $_SERVER['REQUEST_METHOD']; to determine the resource which needs to be returned. I am also using $_REQUEST['resource']; which should contain everything on the URI after /api/ following the .htaccess rewrite.

The questions I have about my approach are:

  1. If I always validate $_SERVER['REQUEST_METHOD']; to be within the required GET PUT POST DELETE (which i will need to do anyway), is there really a problem not filteing the input?
  2. Should I be accessing the $_REQUEST['resource']; by using filter_input (INPUT_GET, 'resource');? When this will only be used to determine a resource, and where the resource can not be determined (say someone attempts to add malicious code) we will simply not find a resource and return a 404 Not Found status.
  3. Are there any other considerations I need to take into account and have I missed anything critical in my understanding?

I realise, this may seem like a lot of concern for what is only considered a warning however, in my experience, fixing just the errors will give you working code, but fixing the warnings will help you understand why the code works.

  • 写回答

1条回答 默认 最新

  • doujiabing1228 2014-04-28 01:24
    关注

    So I start looking into fliter_input() however it is not yet implemented for $_REQUEST. This seems like a little bit of a dead end.

    I'd say it is not a dead end but on purpose. filter_input() requires you to clearly specify the input type. $_REQUEST is not clear about it, it contains input from various sources, allowing one source overwriting another.

    Next to that this is also not what the warning precisely wants to tell you. Swapping a superglobal like $_GET with an equally superglobal function like filter_input(INPUT_GET, ...) shows the same design flaw. But Netbeans can't warn you as easily about it.

    And getting rid of superglobals is already a good idea.

    Instead, inject input data to your application at a low-level place, e.g. bootstrapping the request information and do not use any superglobals nor the filter_input function in the rest of your code.

    That will allow you to easily simulate any request method without even having an actual request.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 Matlab打开默认名称带有/的光谱数据
  • ¥50 easyExcel模板 动态单元格合并列
  • ¥15 res.rows如何取值使用
  • ¥15 在odoo17开发环境中,怎么实现库存管理系统,或独立模块设计与AGV小车对接?开发方面应如何设计和开发?请详细解释MES或WMS在与AGV小车对接时需完成的设计和开发
  • ¥15 CSP算法实现EEG特征提取,哪一步错了?
  • ¥15 游戏盾如何溯源服务器真实ip?需要30个字。后面的字是凑数的
  • ¥15 vue3前端取消收藏的不会引用collectId
  • ¥15 delphi7 HMAC_SHA256方式加密
  • ¥15 关于#qt#的问题:我想实现qcustomplot完成坐标轴
  • ¥15 下列c语言代码为何输出了多余的空格