Warning "Do not Access Superglobal $_POST Array Directly" on Netbeans 7.4 for PHP

php netbeans superglobals netbeans-7.4

I've got this message warning on Netbeans 7.4 for PHP while I'm using $_POST, $_GET, $_SERVER, ....

Do not Access Superglobal $_POST Array Directly

What does it mean? What can I do to correct this warning?

Edit: The Event sample code still shows this warning.


Solution 1:

filter_input(INPUT_POST, 'var_name') instead of $_POST['var_name']
filter_input_array(INPUT_POST) instead of $_POST

Solution 2:

Although a bit late, I've come across this question while searching the solution for the same problem, so I hope it can be of any help...

Found myself in the same darkness than you. Just found this article, which explains some new hints introduced in NetBeans 7.4, including this one:

https://blogs.oracle.com/netbeansphp/entry/improve_your_code_with_new

The reason why it has been added is because superglobals usually are filled with user input, which shouldn't ever be blindly trusted. Instead, some kind of filtering should be done, and that's what the hint suggests. Filter the superglobal value in case it has some poisoned content.

For instance, where I had:

$_SERVER['SERVER_NAME']

I've put instead:

filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_SANITIZE_STRING)

You have the filter_input and filters doc here:

http://www.php.net/manual/en/function.filter-input.php

http://www.php.net/manual/en/filter.filters.php

Solution 3:

I agree with the other answerers that in most cases (almost always) it is necessary to sanitize Your input.

But consider such code (it is for a REST controller):

$method = $_SERVER['REQUEST_METHOD'];

switch ($method) {
            case 'GET':
                return $this->doGet($request, $object);
            case 'POST':
                return $this->doPost($request, $object);
            case 'PUT':
                return $this->doPut($request, $object);
            case 'DELETE':
                return $this->doDelete($request, $object);
            default:
                return $this->onBadRequest();
}

It would not be very useful to apply sanitizing here (although it would not break anything, either).

So, follow recommendations, but not blindly - rather understand why they are for :)

Related

How to enable logging for apache commons HttpClient on Android
How to make one color transparent on a UIImage?
Any way to run shell commands on android programmatically?
How do I send an HTML Form in an Email .. not just MAILTO
How to check MIUI autostart permission programmatically?
How do I add a library (android-support-v7-appcompat) in IntelliJ IDEA
Try-catch-finally-return clarification [duplicate]
TextWatcher for more than one EditText
error LNK2005, already defined?
How to add items into a numpy array
Is it possible to use Full Text Search (FTS) with LINQ?
How to overlay/downmix two audio files using ffmpeg