“不要直接访问超全局 $_REQUEST 数组."Netbeans 8.0 PHP [英] "Do not Access Superglobal $_REQUEST Array Directly." Netbeans 8.0 PHP
问题描述
这个问题是在阅读了其他几个问题后提出的.
This questions is being asked after having read a few others.
不要在 Netbeans 7.4 for PHP 上直接访问超全局 $_SERVER 数组
我已经加载了最新版本 Netbeans 8.0 并且我看到了一个警告
I have loaded up the latest version Netbeans 8.0 and I have seen a warning
不要直接访问超全局 $_REQUEST 数组.
Do not Access Superglobal $_REQUEST Array Directly.
太好了,我很高兴在我做一些可以改进的事情时被展示,所以我查看了 hints.
Great, I am happy to be shown when I am doing something which can be improved upon, so I look at the hints.
这个建议很简单.
改用一些过滤函数(例如 filter_input()、conditions与 is_*() 函数等).
Use some filtering functions instead (e.g. filter_input(), conditions with is_*() functions, etc.).
所以我开始研究 fliter_input() 但它尚未为 $_REQUEST 实现.这似乎有点死胡同.
So I start looking into fliter_input() however it is not yet implemented for $_REQUEST. This seems like a little bit of a dead end.
然后我从 (@bobince) 那里读到了一些很有帮助的内容在脚本开始时,当你进行过滤时,你不知道你的输入会在哪里结束,所以你不知道"不知道如何逃避它."
Then I read something which was quite helpful from (@bobince) "At the start of your script when you're filtering, you don't know where your input is going to end up, so you don't know how to escape it."
它提醒了我,我确切地知道我的输入最终会在哪里,以及它的用途.所以,我想问问大家我要采取的方法是否本质上安全.
It reminded me, I know exactly where my input is going to end up, and exactly what it will be used for. So, I wanted to ask everyone if the approach I am going to take is essentially safe.
我正在设计一个 REST-ish API,我正在使用 $_SERVER['REQUEST_METHOD']; 来确定需要返回的资源.我还使用了 $_REQUEST['resource'];,它应该包含 /api/ 之后 之后的 .URI 上的所有内容.htaccess 重写
I am designing a REST-ish API and I am using $_SERVER['REQUEST_METHOD']; to determine the resource which needs to be returned. I am also using $_REQUEST['resource']; which should contain everything on the URI after /api/ following the .htaccess rewrite.
关于我的方法的问题是:
The questions I have about my approach are:
- 如果我总是验证
$_SERVER['REQUEST_METHOD'];在所需的GETPUTPOST内>DELETE(无论如何我都需要这样做),不过滤输入真的有问题吗? - 我应该使用
filter_input (INPUT_GET, 'resource');访问$_REQUEST['resource'];吗?当这仅用于确定资源,并且无法确定资源时(比如有人试图添加恶意代码),我们将根本找不到资源并返回404 Not Found状态. - 是否还有其他需要我考虑的因素?我是否遗漏了任何对我的理解至关重要的内容?
- If I always validate
$_SERVER['REQUEST_METHOD'];to be within the requiredGETPUTPOSTDELETE(which i will need to do anyway), is there really a problem not filteing the input? - Should I be accessing the
$_REQUEST['resource'];by usingfilter_input (INPUT_GET, 'resource');? When this will only be used to determine a resource, and where the resource can not be determined (say someone attempts to add malicious code) we will simply not find a resource and return a404 Not Foundstatus. - Are there any other considerations I need to take into account and have I missed anything critical in my understanding?
我意识到,对于仅被视为警告的内容,这似乎很受关注,但是,根据我的经验,仅修复错误会给您工作代码,但修复警告将帮助您了解为什么代码有效.
I realise, this may seem like a lot of concern for what is only considered a warning however, in my experience, fixing just the errors will give you working code, but fixing the warnings will help you understand why the code works.
推荐答案
所以我开始研究
fliter_input()但它尚未为$_REQUEST实现.这似乎有点死胡同.
So I start looking into
fliter_input()however it is not yet implemented for$_REQUEST. This seems like a little bit of a dead end.
我想说这不是死胡同,而是故意的.filter_input() 要求您明确指定输入类型.$_REQUEST 不清楚,它包含来自各种来源的输入,允许一个来源覆盖另一个.
I'd say it is not a dead end but on purpose. filter_input() requires you to clearly specify the input type. $_REQUEST is not clear about it, it contains input from various sources, allowing one source overwriting another.
除此之外,这也不是警告确切想要告诉您的.将像 $_GET 这样的超全局函数与像 filter_input(INPUT_GET, ...) 这样的超全局函数交换显示了相同的设计缺陷.但是 Netbeans 不能轻易警告您.
Next to that this is also not what the warning precisely wants to tell you. Swapping a superglobal like $_GET with an equally superglobal function like filter_input(INPUT_GET, ...) shows the same design flaw. But Netbeans can't warn you as easily about it.
摆脱超全局变量已经是一个好主意.
And getting rid of superglobals is already a good idea.
相反,在低级位置将输入数据注入您的应用程序,例如引导请求信息,不要在其余代码中使用任何超全局变量或 filter_input 函数.
Instead, inject input data to your application at a low-level place, e.g. bootstrapping the request information and do not use any superglobals nor the filter_input function in the rest of your code.
这将允许您轻松模拟任何请求方法,甚至无需实际请求.
That will allow you to easily simulate any request method without even having an actual request.
这篇关于“不要直接访问超全局 $_REQUEST 数组."Netbeans 8.0 PHP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
