0

I am creating an MVC project in PHP and created a Request class for request handling. I want to get parameters by one function. Can I use $_REQUEST directly or need to check something? I could not think of an edge case.

public function getParams($key = "") {
    return $key ? $_REQUEST[$key] : $_REQUEST;
}
MUSA ZENBİLCİ
  • 33
  • 7
  • Obviously it doesn't cover scenarios such as sending JSON instead of form-url-encoded data, or uploading files. – ADyson Mar 09 '22 at 09:39
  • Also...what advantage are you trying to gain with this function? All it does is access $_REQUEST, which you could have just written directly in your code without needing a wrapper function. Of course it's up to you if you want to do it like that, but I'm not sure it actually gives you any real value. – ADyson Mar 09 '22 at 09:40
  • Nobody and nothing forbids you to use the functions directly, but if you want to somehow centralize it, then here are the options, as it is implemented in other projects https://github.com/opencart/opencart/blob/master/upload/system/library/request.php – emrdev Mar 09 '22 at 10:02
  • @HarviDent interesting. I'd be flagging [this line](https://github.com/opencart/opencart/blob/master/upload/system/library/request.php#L47) as a bug... htmlspecialchars is an _output_ filter, to be used only when actually outputting data into a HTML-aware environment. It's not an input filter. At best it is potentially pointless, at worst it could mangle otherwise legitimate data. A bit surprised to see that in the master code of a well-known opensource project, tbh. – ADyson Mar 09 '22 at 10:05
  • @ADyson It would be cool if you open issues about this) – emrdev Mar 09 '22 at 10:12
  • @HarviDent well I have no association or interest in the project really, it's just an observation. I thought maybe you had some interest in it, since presumably you knew that code was there. – ADyson Mar 09 '22 at 10:18
  • @ADyson Okay, with your permission. Thank you for your comment – emrdev Mar 09 '22 at 10:19
  • 1
    @HarviDent if you want some evidence / ammunition: https://stackoverflow.com/questions/4882307/when-to-use-htmlspecialchars-function , https://stackoverflow.com/questions/16965318/when-to-use-htmlspecialchars, https://stackoverflow.com/questions/4882307/when-to-use-htmlspecialchars%20-function. And https://stackoverflow.com/questions/3126072/what-are-the-best-php-input-sanitizing-functions is a good general reference too. Of course if the devs have been relying on this function to escape HTML input they'll need to go and correct all places where they _output_ HTML to escape it there instead – ADyson Mar 09 '22 at 10:24
  • @ADyson thanks for pointing out these scenarios. Considering advantages, I have functions to obtain and manipulate some info from $_SERVER and $_REQUEST according to my need in Request class. So using both the $_REQUEST and Request class seem bad to me. So I am creating some getters. Maybe I could implement these functions in another class with different naming and use $_REQUEST but it does not look like such a requirement IMO. – MUSA ZENBİLCİ Mar 09 '22 at 11:23

0 Answers0