7
Netbeans suggests that we do not access the global variables of PHP type $_SERVER[''] directly, what is the suggestion in this case?
It’s usually done this way:
<?php
$ip = $_SERVER["REMOTE_ADDR"];
?>
What is the advised way to take a global variable?
8
I have no idea but I see no problem doing this. If it was access to a $_POST I would even understand that the suggestion would be to filter the content with a filter_input or similar technique. But in this case there can be no security failures.
I’ve seen them suggest filtering even this kind of variable, but it seems insane. If you can’t trust what the HTTP server gives you you are chipped.
I could be wrong but I would guess that it is a false positive, which is common in static code analyzers.
Has 4 paths:
otherwise filter and satisfy the analyser.
filter_input(INPUT_SERVER, 'REMOTE_ADDR')
'Cause it’s also I think Netbeans is neurotic about security, I’ll take a hint to filter, it costs nothing.
4
In the question example there is no problem, request, session and server information in PHP(pure) comes through global variables, in other These infomations languages come through objects like java request, PHP frameworks also provide objects to manipulate this information.
What is not very correct to do is to access/manipulate a global variable within a function, the correct is to pass this global as the argument of the function, to avoid side effects like functioning break, a function should not suffer interference from anything external should only depend on itself.
2
There is a recommendation not to use the global variable $_SERVER due to the risk of cross-site scripting that someone can execute scripts on your server or, in other words, inject code.
As described in this article (in English).
When exposed to the client (in forms, for example) it can give openings to attacks and intrusions, so it is recommended to use the filter.
0
/* Esta é a maneira correta de se declarar uma superglobal */
$post = filter_input_array(INPUT_POST, FILTER_DEFAULT);
$get = filter_input_array(INPUT_GET, FILTER_DEFAULT);
/* Esta é a maneira correta de se atribuir uma variável a uma informação oriunda de uma superglobal */
$nomeDoname = $post["nomeDoname"];
$nomeDoget = $get["nomeDoget"];
-1
I’ve seen W3school recommending use this way:
htmlspecialchars($_SERVER["PHP_SELF"]);
You can see the explanation here, search for that title:
How To Avoid $_SERVER["PHP_SELF"] Exploits?
Browser other questions tagged php variables netbeans
You are not signed in. Login or sign up in order to post.
Netbeans doesn’t argue anything else, is it? I think this recommendation can change depending on the context.
– rray