121

I've got this message warning on Netbeans 7.4 for PHP while I'm using $_POST, $_GET, $_SERVER, ....

Do not Access Superglobal $_POST Array Directly

What does it mean? What can I do to correct this warning?

Edit: The Event sample code still shows this warning.

Tiny
  • 27,221
  • 105
  • 339
  • 599
Kannika
  • 2,538
  • 2
  • 27
  • 38
  • 1
    What's the code that insures this message in Netbeans? – TiMESPLiNTER Nov 04 '13 at 12:41
  • 2
    It is just a recommendation, you can turn it off in the options... and I would say this is not a programming question! – Matteo Tassinari Nov 04 '13 at 12:41
  • 1
    I just want to know what this warning want me to change! because older netbeans version is not showing. Is there another way to get those parameters from? (I mean $_POST) – Kannika Nov 04 '13 at 12:53
  • @MatteoTassinari I know that is just the recommendation and I know where to disable it, but what I can I do to make correct without any warning? I think my knowledge have limit to get warning, but I just want to fixed it up to make my code up to date with new thing because I know only $_POST will get those posting form submitted. Anyway, Thanks for your comment :D – Kannika Nov 04 '13 at 13:01
  • 1
    possible duplicate of [Security concern when accessing php superglobal directly](http://stackoverflow.com/questions/18495056/security-concern-when-accessing-php-superglobal-directly) – Ankur Jul 12 '14 at 18:19

5 Answers5

100

filter_input(INPUT_POST, 'var_name') instead of $_POST['var_name']
filter_input_array(INPUT_POST) instead of $_POST

ralight
  • 11,033
  • 3
  • 49
  • 59
Homerocker
  • 1,230
  • 1
  • 10
  • 3
  • 7
    Are you answering at the question "what does the warning mean" or at the question "how to remove it"? Because I agree with you, that's what the warning means, but using the function the warning stays there. I have it right now on a `$name = filter_input(INPUT_POST, $_POST["name"]);`. – stenci Dec 19 '13 at 04:05
  • 6
    @stenci you are using $_POST again while you should do something like this $name = filter_input(INPUT_POST, "name"); – Wojciech Sobczyk Dec 20 '13 at 10:13
  • 1
    and what is replacing $_REQUEST ? – mlwacosmos Jan 08 '14 at 12:02
  • @mlwacosmos INPUT_REQUEST, in this example filter_input(INPUT_REQUEST, 'request_name') – Choinek Jan 09 '14 at 10:27
  • that does not exist... that is the problem – mlwacosmos Jan 10 '14 at 08:51
  • 16
    Well, the warning may disappear, but if you don't specify a filter then you will not really fix the security issue NetBeans is pointing out. For example, if you are expecting an int, use: `filter_input(INPUT_POST, 'var_name', FILTER_SANITIZE_NUMBER_INT)` – HoffZ Jul 18 '14 at 12:00
  • how do i access `$_GET` – sanoj lawrence Mar 23 '15 at 08:47
  • 51
    -1: This answer seems kind of trivial. no explanation, what filter_input does, not even a link to http://www.php.net/filter_input. It frightens me that people will just see it, use it, think they are writing better code but still not understand a thing. – IARI Jul 20 '15 at 09:05
  • 5
    Ow, suggesting use of a filter function without a filter argument leads to FILTER_UNSAFE_RAW, which is equivalent to TRUST_ALL_BAD_INPUT – Kzqai Nov 30 '15 at 16:32
  • 1
    can you explain , why we should do this? – ʞɔıɥʇɹɐʞ ouɐɯ Nov 08 '16 at 14:08
  • If I am not mistaken, INPUT_REQUEST seems to be not implemented yet: http://php.net/manual/en/filter.constants.php. – Brice Coustillas Dec 25 '16 at 08:45
  • 2
    You must specify a filter, otherwise this doesn't do anything other than get rid of the warning. Manual says: "If omitted, FILTER_DEFAULT will be used, which is equivalent to FILTER_UNSAFE_RAW. This will result in no filtering taking place by default." – Levon Jun 24 '17 at 19:24
96

Although a bit late, I've come across this question while searching the solution for the same problem, so I hope it can be of any help...

Found myself in the same darkness than you. Just found this article, which explains some new hints introduced in NetBeans 7.4, including this one:

https://blogs.oracle.com/netbeansphp/entry/improve_your_code_with_new

The reason why it has been added is because superglobals usually are filled with user input, which shouldn't ever be blindly trusted. Instead, some kind of filtering should be done, and that's what the hint suggests. Filter the superglobal value in case it has some poisoned content.

For instance, where I had:

$_SERVER['SERVER_NAME']

I've put instead:

filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_SANITIZE_STRING)

You have the filter_input and filters doc here:

http://www.php.net/manual/en/function.filter-input.php

http://www.php.net/manual/en/filter.filters.php

Ricardo Palomares Martínez
  • 1,135
  • 9
  • 10
  • If you do exactly what you say, Netbeans will still underline the "$_POST" or "$_GET" parts and display the notification as if it wasn't being filtered. This problem might just be a Netbeans bug (in version 8.1 at least). – user3640967 Jan 05 '16 at 10:11
  • Replace it with `filter_input`. You don't use it along side it. – user2924019 Aug 24 '21 at 12:40
8

I agree with the other answerers that in most cases (almost always) it is necessary to sanitize Your input.

But consider such code (it is for a REST controller):

$method = $_SERVER['REQUEST_METHOD'];

switch ($method) {
            case 'GET':
                return $this->doGet($request, $object);
            case 'POST':
                return $this->doPost($request, $object);
            case 'PUT':
                return $this->doPut($request, $object);
            case 'DELETE':
                return $this->doDelete($request, $object);
            default:
                return $this->onBadRequest();
}

It would not be very useful to apply sanitizing here (although it would not break anything, either).

So, follow recommendations, but not blindly - rather understand why they are for :)

Rauni Lillemets
  • 2,299
  • 1
  • 26
  • 39
3

Just use

filter_input(INPUT_METHOD_NAME, 'var_name') instead of $_INPUT_METHOD_NAME['var_name'] filter_input_array(INPUT_METHOD_NAME) instead of $_INPUT_METHOD_NAME

e.g

    $host= filter_input(INPUT_SERVER, 'HTTP_HOST');
    echo $host;

instead of

    $host= $_SERVER['HTTP_HOST'];
    echo $host;

And use

    var_dump(filter_input_array(INPUT_SERVER));

instead of

    var_dump($_SERVER);

N.B: Apply to all other Super Global variable

Simone Rossaini
  • 8,115
  • 1
  • 13
  • 34
Sani Kamal
  • 1,208
  • 16
  • 26
2

Here is part of a line in my code that brought the warning up in NetBeans:

$page = (!empty($_GET['p']))

After much research and seeing how there are about a bazillion ways to filter this array, I found one that was simple. And my code works and NetBeans is happy:

$p = filter_input(INPUT_GET, 'p');
$page = (!empty($p))