直接访问php超全球时的安全问题
I just upgraded my IDE (Netbean) to 1.7.4 beta, to test it out... and it seems that now it si giving me a warning whenever I access my superglobal variable. It says
Do not access supergolobal $_POST Array Directly
I am currently just using this
$taxAmount = intval(ceil($_POST['price']*($TAX-1)));
How much of a security concern is this really?
Is this the proper way to do it, and does it make a difference?
$price = $_POST['price'];
$taxAmount = intval(ceil($price*($TAX-1)));
我刚刚将我的IDE(Netbean)升级到1.7.4 beta,以测试它......似乎 现在,只要我访问我的超全局变量,它就会给我一个警告。 它说 p>
不要直接访问supergolobal $ _POST数组 p> blockquote>
我目前正在使用此
$ taxAmount = intval(ceil($ _ POST ['price'] *($ TAX-1))); code> pre> \ n这真的有多少安全问题? p>
这是正确的方法吗,它会有所作为吗? p>
$ price = $ _POST ['price']; $ taxAmount = intval(ceil($ price *($ TAX-1))); code> pre>
No, you can use you first method and not fill the memory with duplicate data. The only concern here is to validate it before using, and if you copy it to another variable, you need to do same on it also.
I don't see any difference!
Especially if you do not want to use it in a sql_query.
The only thing that makes me thinking, is that its not much common to write in superglobals directly, so some poor programmers may leave it with unvalidated data.
One last thing, Be sure to check your "$_POST" existence with 'empty' or 'isset' functions.
example:
If(!empty($_POST['price']))
$taxAmount = intval(ceil($_POST['price']*($TAX-1)));
else
$taxAmount = -1; //Somethings wrong.