Globals, closures, and filter_input

11 years ago by Gary Mort — view source — reply

unread

This seems to me to be an odd combination and it is not explictly
documented.

I'm running under PHP 5.5.12

First off, when after executing unset($_GET) - the global $_GET variable
no longer exists. However, calling filter_input(INPUT_GET,...)
continues to return data from the query string.

So filter_input and filter_has_var are independent of the $_GET
variable. IE they will return whatever the original data was. This is
noted in the comments regarding these functions,
http://us1.php.net/manual/en/function.filter-input.php - I simply want
to double check that this is working as designed, and not a bug that
will be corrected[since there is no spec for this feature. :-)]

Moreover, it is possible to bind a closure to a global variable, for
example:

https://gist.github.com/garyamort/c656846ba3969c492d20

In this code, I bind a closure which returns the results of
filter_input(INPUT_GET,...) to the $_GET super global.

This was simply a quick and dirty exercise dynamically enabling $_GET
variable filtering in a manner which integrates nicely with most
introductory PHP tutorials.

A more thorough solution would be to instead create an ArrayObject
subclass and map the various array methods to the appropriate
filter_input and filter_has_var functions.

In that way, 'legacy' code could have it's input automatically
sanitized, with the ability to change the type of sanitization which
occurs during execution[since the current default sanitzation ini
setting can not be changed dynamically]

However, global variables are not supposed to be bound to closures and
objects, then this could result in future problems if that feature is
ever modified.

11 years ago by Rasmus Lerdorf — view source — reply

unread

This seems to me to be an odd combination and it is not explictly
documented.

I'm running under PHP 5.5.12

First off, when after executing unset($_GET) - the global $_GET variable
no longer exists. However, calling filter_input(INPUT_GET,...)
continues to return data from the query string.

So filter_input and filter_has_var are independent of the $_GET
variable. IE they will return whatever the original data was. This is
noted in the comments regarding these functions,
http://us1.php.net/manual/en/function.filter-input.php - I simply want
to double check that this is working as designed, and not a bug that
will be corrected[since there is no spec for this feature. :-)]

That is working as designed. The whole point of the filter functions is
that they keep a copy of the original input and only expose a filtered
version in the GPC globals. When you need unfiltered data, or data
filtered with a different filter you can call the filter functions to do
so. That wouldn't work if the initial filter operation was destructive.

However, global variables are not supposed to be bound to closures and
objects, then this could result in future problems if that feature is
ever modified.

I don't see why we would restrict the super globals from being bound to
closures in the future. I see nothing wrong with your approach.

-Rasmus