Why does NetBeans warn you that you should not access global variables directly?

7

NetBeans suggests that we do not access the global variables of PHP type $_SERVER[''] directly, what is the suggestion in this case?

It's usually done like this:

<?php

   $ip = $_SERVER["REMOTE_ADDR"];

?>

What is the best way to get a global variable?

    
asked by anonymous 23.12.2015 / 13:32

5 answers

8

I have no idea. I see no problem in doing this. If it were access to a $_POST I would even understand that the suggestion would be to filter the content with a filter_input or similar technique. But in this case security flaws can not happen.

I've seen it suggest filtering even this kind of variable, but it seems insane to me. If you can not trust what the HTTP server gives you, you're chipped.

I may be wrong but I would kick it out as a false positive, which is common in static code analyzers.

It has 4 paths:

  • Live with it;
  • Turn off the static parser;
  • put a tip comment for it to stop warning you (have to look in the documentation);
  • Counter-filter and satisfy the parser.

    filter_input(INPUT_SERVER, 'REMOTE_ADDR')
    
23.12.2015 / 13:46
4

In the query example there is no problem, request, session and server information in PHP (pure) comes through global variables, in other languages such infomations come through objects like java request, PHP frameworks also provide objects to manipulate this information.

What is not very correct to do is to access / manipulate a global variable within a function, the correct one is to pass this global as function argument, to avoid side effects such as breaking operation, a function should not suffer interference from nothing external should only depend on itself.

    
23.12.2015 / 13:46
2

There is a recommendation not to use the global variable $_SERVER because of the risk of cross-site scripting that someone is able to run scripts on your server or, in other words, p>

As described in this article English).

When exposed to the client (in forms, for example) it can give openings to attacks and intrusions, so it is recommended to use the filter.

    
06.03.2017 / 17:19
0
/* Esta é a maneira correta de se declarar uma superglobal */
$post = filter_input_array(INPUT_POST, FILTER_DEFAULT); 
$get = filter_input_array(INPUT_GET, FILTER_DEFAULT);

/* Esta é a maneira correta de se atribuir uma variável a uma informação oriunda  de uma superglobal */
$nomeDoname = $post["nomeDoname"];
$nomeDoget = $get["nomeDoget"]; 
    
26.09.2018 / 16:23
-1

I've seen W3School recommending it this way:

htmlspecialchars($_SERVER["PHP_SELF"]);

You can see the explanation here , search for this title:

  

How To Avoid $ _SERVER ["PHP_SELF"] Exploits?

    
26.10.2016 / 15:08