6

the INPUT_POST Parameter of the PHP filter function filter_input_array() e.g. in

filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

seems to overwrite any modification applied to the superglobal $_POST.

test:

<?php
// 1.
$_POST['abc'] = '123';
var_dump($_POST);

// 2.
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
var_dump($_POST);
?>

output:

after // 2. your $_POST will be empty (as the initial POST was empty)

index.php:4:
array (size=1)
'abc' => string '123' (length=3)

index.php:8:null

so be sure, to put 

$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING, true);

on the top of your scripts!

Q: did anyone alse notice that behaviour - or did I made an error in reasoning?

Possible Answer: Data are taken from superglobal $_REQUEST an not from $_POST

Robert TheSim
  • 433
  • 5
  • 6
  • Nowhere does it say that this has _any_ connection to $_POST whatsoever. – CBroe Aug 17 '17 at 10:39
  • @CBroe The only page I can see that attempts to define `INPUT_POST` is [this list of contants](http://php.net/manual/en/filter.constants.php), which just links to [the page describing `$_POST`](http://php.net/manual/en/reserved.variables.post.php), so that implies a connection to me. – IMSoP Aug 17 '17 at 10:51
  • @IMSoP pretty sure there isn’t actually one though. Description for filter_input_vars says, _“Gets external variables and optionally filters them”_ - and to me that simply means that it gets the data from the same _source_ as is used to fill $_POST initially. Manipulating $_POST does not change the data that was originally send. If you test this with a script that receives actual POST data from the outside, and you add an additional entry to $_POST as shown above - then you will only see the original data in the filtered result, but not the one added only to $_POST. – CBroe Aug 17 '17 at 11:00
  • 1
    @CBroe If you can confirm that, then that's the answer. It's also something which should be clarified in the documentation, because as I say it's not true that "nowhere" makes that connection, the list of constants very clearly does make such a connection. – IMSoP Aug 17 '17 at 11:13
  • the `INPUT_POST` was irritating me, see my -> "Possible Answer:" at the end of the initial article. – Robert TheSim Aug 17 '17 at 11:25

2 Answers2

8

There is no direct connection between $_POST, and INPUT_POST.

The latter only specifies that filter_input_vars should get the data to filter from the same source as was used to fill $_POST initially. Later manipulation of $_POST does not change what POST data was send to the script originally.

You can easily verify this by setting up a little form that posts a hidden input field to your script. Then add an additional entry to $_POST in that script, as you did in your example above. You will see that filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING) returns an array that contains the entry for the hidden field, but not one for the entry you added to $_POST manually.

That http://php.net/manual/en/filter.constants.php describes INPUT_POST as “POST variables” and links to the description of $_POST might be a little bit misleading here, granted. But to be fair, it says POST there, and not $_POST.

so be sure, to put $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING, true); on the top of your scripts!

I would not really recommend that. Every PHP developer will assume that $_POST contains unfiltered data. As soon as you f.e. start using 3rd-party modules, that might lead to trouble.

Leaving $_POST as it is, and using a separate variable to hold your filtered POST parameters, is the better way to go IMHO.

CBroe
  • 91,630
  • 14
  • 92
  • 150
2

Your variable $_POST contains null after that function is executed and assigned to $_POST. From the PHP Manual, null may be returned because the resource on which the function is supposed to work is not defined.

I believe you should investigate either the integrity of your variables or your use of that function.

Sarkouille
  • 1,275
  • 9
  • 16
  • can be reproduced with a simple form script which issues a POST request to the server. In this case, the `$_POST` as well as the ?`$_REQUEST` are empty. – Robert TheSim Aug 17 '17 at 11:36