Php – Is it safe to directly access superglobals with isset()

PHP

I understand that one should always try to avoid direct access to superglobals to put values from superglobals into variables, eg.:

$name = filter_input(INPUT_POST, 'name'); 
//instead of 
$name = $_POST['name']; // not safe

My question if it is safe to use isset() to test if a superglobal is present, eg:

if (isset($_POST['name')) {

}

I personally do not understand why this would not be good practice, but I am not that advanced in programming.

(Recently I started using Netbeans, and it gives me a tooltip recommending to change this code. Maybe the message is not entirely correct, but I would rather know for sure. I have not found a good answer anywhere else.)

Best Answer

It is safe to use isset function in super globals. It is very effective to trigger events for a specific submit event. It only checks if the global variable is existing and will not trigger any damage such as XSS/Code/SQL injection.

I think the recommendation you received to change the code is that you need to...

$name = filter_input(INPUT_POST, 'name');

then...

if (isset($name)) {
}

Related Solutions

Php – Why do many PHP Devs hate using isset() and/or any of PHP’s similarly defensive functions like empty()

I code to E_STRICT and nothing else.

Using empty and isset checks does not make your code ugly, it makes your code more verbose. In my mind what is the absolute worst thing that can happen from using them? I type a few more characters.

Verses the consequences of not using them, at the very least warnings.

PHP Superglobals – Directly Modifying Superglobals

Given that PHP is already setting those superglobals, I don't think it's evil to modify them. In some cases, it may be the best way to solve problems... particularly when dealing with third party code that you cannot easily modify. (They might use $_GET directly or assume some key exists in $_SERVER, etc.)

However, generally speaking, I think it's a bad practice when you are writing your own code. Modifying the $_REQUEST data with some behind the scenes filter that runs on every page automatically is likely to introduce side effects. (See all the problems that "magic quotes" caused for proof.)

So if you aren't going to do that (automatically filter the superglobals), then the following doesn't give you any benefits:

$_POST['foo'] = filter($_POST['foo']);

when you can easily just do:

$foo = filter($_POST['foo']);

I think it's much more clear to make the site-wide distinction that $_POST and $_GET are always unfiltered, untrusted data, and they should never be used as-is.

By copying the filtered value to another variable, you are making the claim that, "I understand what I'm doing... I've filtered this input, and it's safe to use."

Best Answer

Related Solutions

Php – Why do many PHP Devs hate using isset() and/or any of PHP’s similarly defensive functions like empty()

PHP Superglobals – Directly Modifying Superglobals

Related Topic