This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 239991 - INPUT_REQUEST not implemented yet - but hint on direct usage of $_REQUEST
Summary: INPUT_REQUEST not implemented yet - but hint on direct usage of $_REQUEST
Status: NEW
Alias: None
Product: php
Classification: Unclassified
Component: Editor (show other bugs)
Version: 7.4
Hardware: All All
: P4 normal (vote)
Assignee: Ondrej Brejla
Depends on:
Reported: 2014-01-04 22:08 UTC by minecrawlerx
Modified: 2014-01-05 18:35 UTC (History)
0 users

See Also:
Issue Type: DEFECT
Exception Reporter:


Note You need to log in before you can comment on or make changes to this bug.
Description minecrawlerx 2014-01-04 22:08:19 UTC
INPUT_REQUEST not implemented yet - but NB throws a hint on direct usage of $_REQUEST.

So basically, how should I implement $_REQUEST, if I should not use it directly? RIGHT, there is filter_var(); but guess what? It still throws a hint.
I saw the report on throwing a hint on the direct usage(234280), but I cannot agree with it. As long as INPUT_REQUEST and INPUT_SESSION is not implemented, there should not be a hint on direct usage.
The best possible solution imho would be to test if $_REQUEST or $_SESSION are used in a "filtering function" or not.

"Filtering functions" should be
filter_*, is_* and isset()

Here is a simple sample code for a complete filter_has_var() alternative which should not trigger any hints (at the moment, the line with isset($_REQUEST[$key]) does):

 * Checks if super global contains key
 * The following values for TYPE are possible:
 * @param integer $type
 * @param string $key
 * @return boolean
function issetSG($type, $key)
        case 'INPUT_SESSION':
            $r = isset($_SESSION[$key]);
        case 'INPUT_REQUEST':
            $r = isset($_REQUEST[$key]);
            $r = filter_has_var($type, $key);
    return $r;

Product Version: NetBeans IDE Dev (Build nbms-and-javadoc-1140-on-20140101)
Java: 1.7.0_45; Java HotSpot(TM) 64-Bit Server VM 24.45-b08
Runtime: Java(TM) SE Runtime Environment 1.7.0_45-b18
System: Windows 8 version 6.2 running on amd64; Cp1252; de_DE (nb)
Comment 1 Ondrej Brejla 2014-01-05 09:17:17 UTC
Your code doesn't have a problem just with the $_REQUEST, if I rename it to $_POST hint appears too. I have to look at it.
Comment 2 Ondrej Brejla 2014-01-05 09:29:38 UTC
isset() function isn't in our list of validator/filtering functions. It doesn't validates anything, just if "key exists". I can add it but it doesn't say anything about the value of the item - if it's integer, float, or if it's filtered (escaped) etc. It just say that the key exists. And it's not a purpose of this hint. It tries to force you to "be ensure" that the data from that item will be in a form you want - escaped or at least in some proper type. So for me this is invalid, but I'll leave it as P4 and will think about it some day again. Thanks.
Comment 3 minecrawlerx 2014-01-05 18:35:51 UTC
Well, with isset you do get a proper type which even cannot be malicious. You get a boolean!
I often just need to know, if a variable is set (and I don't even care about the value). This situation should not trigger a hint.
Also functions that implement INPUT_REQUEST should not give errors

Try for instance

$REQUEST = filter_var_array($_REQUEST, $filters);

and $_REQUEST will give the hint. But actually I am filtering it in this particular line.