Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP's new input_filter does not read $_GET or $_POST arrays

In PHP 5.2 there was a nice security function added called "input_filter", so instead of saying:

$name = $_GET['name'];

you can now say:

$name = filter_input (INPUT_GET, 'name', FILTER_SANITIZE_STRING);

and it automatically sanitizes your string, there is also:

  • FILTER_SANITIZE_ENCODED
  • FILTER_SANITIZE_NUMBER_INT
  • FILTER_SANITIZE_EMAIL
  • FILTER_SANITIZE_URL

etc. so this is a very convenient security feature to use and I want to switch over to it completely.

The problem is... I often manipulate the $_GET and $_POST arrays before processing them, like this:

$_GET['name'] = '(default name)';

but it seems that filter_input does not have access to the changes in $_GET since it reads "INPUT_GET" which is of type int (?). It would be nice if I could get filter_input to read $_GET instead but:

$name = filter_input ( $_GET, 'name', FILTER_SANITIZE_STRING );

gives me the error:

Warning: filter_input() expects parameter 1 to be long, array given.

Can anyone think of a way that I could:

  • manipulate the source of INPUT_GET (whereever it is) so that I can change its values before filter_input can read them
  • get filter_input to read $_GET

ADDENDUM:


Rich asked: "Why are you changing the arrays anyway, surely you want them to be an input, rather than something you've programmatically inserted."

It is just a very convenient place to preprocess variables coming in, e.g. in order to:

  • set defaults (if $_GET['state'] = '' then $_GET['state'] = 'AL')
  • do manual processing (delete all spaces, etc.)
  • security (some of which will be done by filter_input now)

Then I know by the time I get the incoming variable, it is secure and valid. Of course I could copy the $_GET array to another array and process THAT array but that is just an unnecessary step since I $_GET is already a functioning array so it makes sense to do it with these system arrays that already exist.

like image 435
Edward Tanguay Avatar asked Nov 18 '08 11:11

Edward Tanguay


2 Answers

A handy way to do this without modifying the global array:

if (!($name = filter_input(INPUT_GET, 'name'))) {
    $name = 'default_value';
}

Or using the ternary operator:

$name = ($name = filter_input(INPUT_GET, 'name')) ? $name : 'default_value';
like image 73
Jrgns Avatar answered Sep 20 '22 10:09

Jrgns


You could manually force it to read the arrays again by using filter_var and filter_var_array

$name = filter_var ( $_GET['name'], FILTER_SANITIZE_STRING );
like image 44
Simon Avatar answered Sep 22 '22 10:09

Simon