Opened 10 months ago
Last modified 10 months ago
#60470 new enhancement
Use `filter_input` instead of superglobals where possible
Reported by: | kkmuffme | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
The $_SERVER
, $_GET
, and $_POST
variables are inherently unsafe and shouldn't be used, as they can be modified in userland.
filter_input
should be used instead - for cases where there is no appropriate sanitizing available the FILTER_CALLBACK flag can be used with the WP sanitizing function, e.g. FILTER_CALLBACK
Change History (3)
#2
@
10 months ago
This isn't really related, is it? (very, very tangentially at best)
---
Using filter_input would also finally provide a pathway out of the useless unslashing, bc the data from filter_input isn't corrupted by WP's unnecessary slashing of superglobals in the first place.
#3
@
10 months ago
As of PHP 8 any disabled functions aren't included in the functions table and can be overwritten by a userland function - WP could define filter_input if it doesn't exist in those cases (https://php.watch/versions/8.0/disable_functions-redeclare)
Which would make the argument that some servers don't have filter_ functions enabled redundant too.
As soon as WP raises the minimum to PHP 8, this is definitely the way to go I'd say?
Related: #33837