Asked  9 Months ago    Answers:  5   Viewed   50 times

I just upgraded my IDE (Netbean) to 1.7.4 beta, to test it out... and it seems that now it si giving me a warning whenever I access my superglobal variable. It says

Do not access supergolobal $_POST Array Directly

I am currently just using this

 $taxAmount = intval(ceil($_POST['price']*($TAX-1)));

How much of a security concern is this really?

Is this the proper way to do it, and does it make a difference?

 $price = $_POST['price'];
 $taxAmount = intval(ceil($price*($TAX-1)));



No, you can use you first method and not fill the memory with duplicate data. The only concern here is to validate it before using, and if you copy it to another variable, you need to do same on it also.

Wednesday, March 31, 2021
answered 9 Months ago

readfile does not execute the code on your server so there is no issue there.

However, some strange folks could use your server to perform web requests in order to get your server into trouble by making unauthorized requests or cause overloading so you'll want to keep that in mind when coding this type of functionality.

according to the manual, it seems that if I want to use a URL with readfile, I need to enable fopen wrappers

Yes, you'll need to make sure that allow_url_fopen is on. if it isn't, you'll have to look into using cURL.

Wednesday, March 31, 2021
answered 9 Months ago

It's just a warning to show that there is no password for the default user root. If you want to set password for root:

  1. Open phpmyadmin interface
  2. Click "Users" tab
  3. Select user "root"
  4. Edit Privileges
  5. Change password
Saturday, May 29, 2021
answered 7 Months ago

What data do you actually need? - Best way for most data is to refer to the C structure they are coming from. For instance with request data you can check the sapi_globals, accessible using the SG() macro, session data is available via the session module, ...

If you really need access to a super global you can find it in the EG(symbol_table) hash table. As PHP has a JIT mechanism to provide super globals only when needed you might need to call zend_auto_global_disable_jit() first to disable this.

Answering the comment below: Is any of this data enough:

typedef struct {
    const char *request_method;
    char *query_string;
    char *post_data, *raw_post_data;
    char *cookie_data;
    long content_length;
    uint post_data_length, raw_post_data_length;

    char *path_translated;
    char *request_uri;

    const char *content_type;

    zend_bool headers_only;
    zend_bool no_headers;
    zend_bool headers_read;

    sapi_post_entry *post_entry;

    char *content_type_dup;

    /* for HTTP authentication */
    char *auth_user;
    char *auth_password;
    char *auth_digest;

    /* this is necessary for the CGI SAPI module */
    char *argv0;

    /* this is necessary for Safe Mode */
    char *current_user;
    int current_user_length;

    /* this is necessary for CLI module */
    int argc;
    char **argv;
    int proto_num;
} sapi_request_info;

typedef struct _sapi_globals_struct {
    void *server_context;
    sapi_request_info request_info;
    sapi_headers_struct sapi_headers;
    int read_post_bytes;
    unsigned char headers_sent;
    struct stat global_stat;
    char *default_mimetype;
    char *default_charset;
    HashTable *rfc1867_uploaded_files;
        long post_max_size;
        int options;
        zend_bool sapi_started;
        time_t global_request_time;
        HashTable known_post_content_types;
} sapi_globals_struct;

Then use SG(request_info).request_urior similar, while you should only read these values, not write, so make a copy if needed.

None of these is enough? - Then go back to what I said above:

/* untested code, might need some error checking and stuff */
zval **server_pp;
zval **value_pp;
zend_auto_global_disable_jit("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC);
if (zend_hash_find(EG(symbol_table), "_SERVER", sizeof("_SERVER"), (void**)&server_pp) == FAILURE) {
    zend_bailout(); /* worst way to handle errors */
if (Z_TYPE_PP(server_pp) != IS_ARRAY) {
if (zend_hash_find(Z_ARRVAL_PP(server_pp), "YOUR_VARNAME", sizeof("YOUR_VARNAME"), (void**)&value_pp) == FAILURE) {
/* now do something with value_pp */

Please mind that I jsut typed it here out of my ind without checking anything so it can be wrong, contain typos etc. And as a note: You should be aware of the fact that you have to use sizeof() not sizeof()-1 with hash APIs as the terminating null-byte is part of the calculated hash and has functions return SUCCESS or FAILURE, while SUCCESS is defined as 0 and FAILURE as -1 which is not what one might expect, so always use these constants!

Tuesday, August 17, 2021
answered 4 Months ago

So when GET/POST, I'm adding to each variable htmlentities function?

No need to. You should however, use htmlentities when outputting user-generated data to a browser, to prevent XSS attacks.

What would replace mysql_real_escape_string? Should I use it?

You shouldn't use mysql_real_escape_string as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.

Is there a way to check if a string is really a UID?

The only way is to validate it is to query MongoDB with that string and check if it exists.

You can however, validate if the format is correct:

$id = '4f1b166d4931b15415000000';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // true

$id = 'foo';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // false

Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.

Sunday, October 10, 2021
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :