PHP: how to handle $ _POST data

Question

PHP: how to handle $ _POST data

I am getting a netbeans warning when using this code. Can anyone post some code that will not show warnings in netbeans and will achieve what I want. Does my code have a security flaw?

...

The warning I'm getting says: "Never access Superglobal $ _POST directly. Use some filter function instead."

...

<?php
//test if required vars are set
if (
    isset($_POST['num']) &&
    isset($_POST['desc'])
) {
    (double) $num = filter_var($_POST['num'], FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
    $desc = $_POST['desc'];

    //do stuff after with these vars such as: mysqli queries; equations with ! === || &&. 
}
?>

+3

post php netbeans

compsci 07 nov. 14 at 12:20 am

source to share

2 answers

I wouldn't worry too much about this warning, even on the line where you actually use the filter function (although a different option than NetBeans suggests ...) generates the same message.

These are hints that should make you think about what you are doing and can be very helpful.

However, if you don't want to see them, you can go to:

Tools > Options > Editor > Hints

And disable individual warnings separately.

0

jeroen 07 nov. 14 at 12:27 am

source to share

Marcio mazzucato · Accepted Answer · 2014-11-07T00:29:07+0000

Try using this:

<?php

if (filter_input(INPUT_POST, 'num') && filter_input(INPUT_POST, 'desc')) {
    (double) $num = filter_input(INPUT_POST, 'num', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);

    $desc = filter_input(INPUT_POST, 'desc');

    //do stuff after with these vars such as: mysqli queries; equations with ! === || &&. 
}

PHP: how to handle $ _POST data

More articles: