1.2.1626. filter_input() As A Source¶
The filter_input() and filter_input_array() functions access directly to
$_GET. They represent a source for external data just like$_GET,$_POST, etc.
The main feature of filter_input() is that it is already filtered. The main drawback is that FILTER_FLAG_NONE is the none filter, and that default configuration is FILTER_UNSAFE_RAW.
The filter extension keeps access to the incoming data, even after the super globals, such as $_GET, are unset.
Thanks to Frederic Bouchery for reporting this special case.
<?php
// Removing $_GET
$_GET = [];
// with the default : FILTER_UNSAFE_RAW, this means XSS
echo filter_input(INPUT_GET, 'i');
// Same as above :
echo filter_var(_GET, 'i');
?>
See also Data filtering.
1.2.1626.1. Suggestions¶
Use the classic $_GET, $_POST super globals, which are easier to audit.
Use your framework’s parameter access.
1.2.1626.2. Specs¶
Short name |
Security/FilterInputSource |
Rulesets |
|
Exakat since |
1.4.8 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
validation |
Available in |