4

I'm new to PHP, so forgive me if this is a stupid question but why should I not access items in the superglobal arrays directly? NetBeans warns me not to (see title), and I've read the same elsewhere -- however I haven't come across a good explanation yet.

What can go wrong? Is it a security concern, like SQL injection? Or something else?

There are several similar questions on StackOverflow, but none of the answers actually explain what the problem is: they just suggest to use filter_input(). This doesn't satisfy me, since I like knowing how things work. Any explanation will be appreciated.

Obversity
  • 567
  • 2
  • 9
  • 21
  • your data may be hijacked by hackers .... – user1844933 Jan 22 '14 at 14:10
  • Because data which you receive from an unknown client may be corrupted. The loss of your database is the smallest problem here. XSS or using your server for spamattacks on others can create a lot of trouble, only because you didnt validate the userinput. – Realitätsverlust Jan 22 '14 at 14:13
  • 1
    You can find useful tips at http://www.phptherightway.com/#data_filtering – a.yastreb Jan 22 '14 at 14:13
  • 1
    `$_GET` and `$_POST` pose the exact same security threats to your PHP script. When something says don't access directly then what it translates to is "Do not trust the source which provided the data, make sure to sanitize and verify before using it in your script". A good reason to not use `$_GET` specifically is when submitting forms because it can lead to a browser history trace so if it is a login screen then you can see `someScript.php?user=something&password=plainText` but with a POST you will not be able to see the values passed. – MonkeyZeus Jan 22 '14 at 14:17
  • Thanks @a.yastreb , reading that now. – Obversity Jan 22 '14 at 14:17
  • possible duplicate of [Is using superglobals directly good or bad in PHP?](http://stackoverflow.com/questions/3498207/is-using-superglobals-directly-good-or-bad-in-php) –  Apr 13 '14 at 14:08
  • possible duplicate of [Warning "Do not Access Superglobal $\_POST Array Directly" on Netbeans 7.4 for PHP](http://stackoverflow.com/questions/19767894/warning-do-not-access-superglobal-post-array-directly-on-netbeans-7-4-for-ph) – Shahrokhian Apr 30 '14 at 18:05

1 Answers1

1

Well, in normal cases there's no harm of using the super global variables directly,

but to stay on the safe side and to avoid long list of possible attacks you should filter the data coming from the user throw those vars before using them in your application

osmancode
  • 291
  • 2
  • 6