This questions is being asked after having read a few others.
Do not access superglobal $_GET array directly
“Do not Access Superglobal $_SERVER Array Directly” on Netbeans 7.4 for PHP
Why is filter_input() incomplete?
I have loaded up the latest version Netbeans 8.0
and I have seen a warning
Do not Access Superglobal $_REQUEST Array Directly.
Great, I am happy to be shown when I am doing something which can be improved upon, so I look at the hints
.
The suggestion is quite simple.
Use some filtering functions instead (e.g. filter_input(), conditions with is_*() functions, etc.).
So I start looking into fliter_input()
however it is not yet implemented for $_REQUEST
. This seems like a little bit of a dead end.
Then I read something which was quite helpful from (@bobince) "At the start of your script when you're filtering, you don't know where your input is going to end up, so you don't know how to escape it."
It reminded me, I know exactly where my input is going to end up, and exactly what it will be used for. So, I wanted to ask everyone if the approach I am going to take is essentially safe
.
I am designing a REST-ish API and I am using $_SERVER['REQUEST_METHOD'];
to determine the resource which needs to be returned. I am also using $_REQUEST['resource'];
which should contain everything on the URI
after /api/
following the .htaccess rewrite
.
The questions I have about my approach are:
- If I always validate
$_SERVER['REQUEST_METHOD'];
to be within the requiredGET
PUT
POST
DELETE
(which i will need to do anyway), is there really a problem not filteing the input? - Should I be accessing the
$_REQUEST['resource'];
by usingfilter_input (INPUT_GET, 'resource');
? When this will only be used to determine a resource, and where the resource can not be determined (say someone attempts to add malicious code) we will simply not find a resource and return a404 Not Found
status. - Are there any other considerations I need to take into account and have I missed anything critical in my understanding?
I realise, this may seem like a lot of concern for what is only considered a warning however, in my experience, fixing just the errors will give you working code, but fixing the warnings will help you understand why the code works.