239991 – INPUT_REQUEST not implemented yet - but hint on direct usage of $_REQUEST

This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 239991 - INPUT_REQUEST not implemented yet - but hint on direct usage of $_REQUEST

Summary: INPUT_REQUEST not implemented yet - but hint on direct usage of $_REQUEST

Status:	NEW

Alias:	None

Product:	php
Classification:	Unclassified
Component:	Editor (show other bugs)
Version:	7.4
Hardware:	All All

Importance:	P4 normal (vote)
Assignee:	Ondrej Brejla

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-01-04 22:08 UTC by minecrawlerx
Modified:	2014-01-05 18:35 UTC (History)
CC List:	0 users

See Also:
Issue Type:	DEFECT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description minecrawlerx 2014-01-04 22:08:19 UTC

INPUT_REQUEST not implemented yet - but NB throws a hint on direct usage of $_REQUEST.

So basically, how should I implement $_REQUEST, if I should not use it directly? RIGHT, there is filter_var(); but guess what? It still throws a hint.
I saw the report on throwing a hint on the direct usage(234280), but I cannot agree with it. As long as INPUT_REQUEST and INPUT_SESSION is not implemented, there should not be a hint on direct usage.
The best possible solution imho would be to test if $_REQUEST or $_SESSION are used in a "filtering function" or not.

"Filtering functions" should be
filter_*, is_* and isset()


Here is a simple sample code for a complete filter_has_var() alternative which should not trigger any hints (at the moment, the line with isset($_REQUEST[$key]) does):

/**
 * Checks if super global contains key
 * The following values for TYPE are possible:
 * - INPUT_POST
 * - INPUT_GET
 * - INPUT_COOKIE
 * - INPUT_ENV
 * - INPUT_SERVER
 * - INPUT_SESSION
 * - INPUT_REQUEST
 * 
 * @param integer $type
 * @param string $key
 * @return boolean
 */
function issetSG($type, $key)
{
    switch($type)
    {
        case 'INPUT_SESSION':
        {
            $r = isset($_SESSION[$key]);
            break;
        }
        
        case 'INPUT_REQUEST':
        {
            $r = isset($_REQUEST[$key]);
            break;
        }
        
        default:
        {
            $r = filter_has_var($type, $key);
            break;
        }
    }
    
    return $r;
}

Product Version: NetBeans IDE Dev (Build nbms-and-javadoc-1140-on-20140101)
Java: 1.7.0_45; Java HotSpot(TM) 64-Bit Server VM 24.45-b08
Runtime: Java(TM) SE Runtime Environment 1.7.0_45-b18
System: Windows 8 version 6.2 running on amd64; Cp1252; de_DE (nb)

Comment 1 Ondrej Brejla 2014-01-05 09:17:17 UTC

Your code doesn't have a problem just with the $_REQUEST, if I rename it to $_POST hint appears too. I have to look at it.

Comment 2 Ondrej Brejla 2014-01-05 09:29:38 UTC

isset() function isn't in our list of validator/filtering functions. It doesn't validates anything, just if "key exists". I can add it but it doesn't say anything about the value of the item - if it's integer, float, or if it's filtered (escaped) etc. It just say that the key exists. And it's not a purpose of this hint. It tries to force you to "be ensure" that the data from that item will be in a form you want - escaped or at least in some proper type. So for me this is invalid, but I'll leave it as P4 and will think about it some day again. Thanks.

Comment 3 minecrawlerx 2014-01-05 18:35:51 UTC

Well, with isset you do get a proper type which even cannot be malicious. You get a boolean!
I often just need to know, if a variable is set (and I don't even care about the value). This situation should not trigger a hint.
Also functions that implement INPUT_REQUEST should not give errors

Try for instance

$REQUEST = filter_var_array($_REQUEST, $filters);

and $_REQUEST will give the hint. But actually I am filtering it in this particular line.