Netbeans 7.4 for PHP 上的警告“不要直接访问超全局 $_POST 数组”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19767894/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Warning "Do not Access Superglobal $_POST Array Directly" on Netbeans 7.4 for PHP
提问by Kannika
I've got this message warning on Netbeans 7.4 for PHP while I'm using $_POST, $_GET, $_SERVER, ....
当我使用$_POST、$_GET、$_SERVER、...时,我在 Netbeans 7.4 for PHP 上收到了此消息警告。
Do not Access Superglobal $_POST Array Directly
不要直接访问超全局 $_POST 数组
What does it mean? What can I do to correct this warning?
这是什么意思?我能做些什么来纠正这个警告?
Edit:The Event sample code still shows this warning.
编辑:事件示例代码仍显示此警告。
采纳答案by Homerocker
filter_input(INPUT_POST, 'var_name')instead of $_POST['var_name']filter_input_array(INPUT_POST)instead of $_POST
filter_input(INPUT_POST, 'var_name')而$_POST['var_name']filter_input_array(INPUT_POST)不是代替$_POST
回答by Ricardo Palomares Martínez
Although a bit late, I've come across this question while searching the solution for the same problem, so I hope it can be of any help...
虽然有点晚了,但我在搜索相同问题的解决方案时遇到了这个问题,所以我希望它可以有任何帮助......
Found myself in the same darkness than you. Just found this article, which explains some new hints introduced in NetBeans 7.4, including this one:
发现自己和你处于同样的黑暗中。刚刚找到这篇文章,它解释了 NetBeans 7.4 中引入的一些新提示,包括这个:
https://blogs.oracle.com/netbeansphp/entry/improve_your_code_with_new
https://blogs.oracle.com/netbeansphp/entry/improve_your_code_with_new
The reason why it has been added is because superglobals usually are filled with user input, which shouldn't ever be blindly trusted. Instead, some kind of filtering should be done, and that's what the hint suggests. Filter the superglobal value in case it has some poisoned content.
添加它的原因是因为超全局变量通常充满了用户输入,不应盲目信任这些输入。相反,应该进行某种过滤,这就是提示所暗示的。过滤超全局值以防它有一些中毒的内容。
For instance, where I had:
例如,我有:
$_SERVER['SERVER_NAME']
I've put instead:
我改为:
filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_SANITIZE_STRING)
You have the filter_input and filters doc here:
你有 filter_input 和过滤器文档在这里:
http://www.php.net/manual/en/function.filter-input.php
http://www.php.net/manual/en/function.filter-input.php
回答by Rauni Lillemets
I agree with the other answerers that in most cases (almost always) it is necessary to sanitize Your input.
我同意其他回答者的意见,在大多数情况下(几乎总是)有必要对您的输入进行消毒。
But consider such code (it is for a REST controller):
但是考虑这样的代码(它用于 REST 控制器):
$method = $_SERVER['REQUEST_METHOD'];
switch ($method) {
case 'GET':
return $this->doGet($request, $object);
case 'POST':
return $this->doPost($request, $object);
case 'PUT':
return $this->doPut($request, $object);
case 'DELETE':
return $this->doDelete($request, $object);
default:
return $this->onBadRequest();
}
It would not be very useful to apply sanitizing here (although it would not break anything, either).
在这里应用消毒不是很有用(尽管它也不会破坏任何东西)。
So, follow recommendations, but not blindly - rather understand why they are for :)
因此,请遵循建议,但不要盲目-而是要了解它们的用途:)
回答by Sani Kamal
Just use
只需使用
filter_input(INPUT_METHOD_NAME, 'var_name') instead of $_INPUT_METHOD_NAME['var_name'] filter_input_array(INPUT_METHOD_NAME) instead of $_INPUT_METHOD_NAME
filter_input(INPUT_METHOD_NAME, 'var_name') 而不是 $_INPUT_METHOD_NAME['var_name'] filter_input_array(INPUT_METHOD_NAME) 而不是 $_INPUT_METHOD_NAME
e.g
例如
$host= filter_input(INPUT_SERVER, 'HTTP_HOST');
echo $host;
instead of
代替
$host= $_SERVER['HTTP_HOST'];
echo $host;
And use
并使用
var_dump(filter_input_array(INPUT_SERVER));
instead of
代替
var_dump($_SERVER);
N.B: Apply to all other Super Global variable
注意:适用于所有其他超级全局变量
