PHP: INPUT_POST (used in filter_input_array) overwrites all previous modifications of $_POST

Asked 17/8, 2017 at 10:36 Answered 17/8, 2017 at 11:29

the INPUT_POST Parameter of the PHP filter function filter_input_array() e.g. in

filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

seems to overwrite any modification applied to the superglobal $_POST.

test:

<?php
// 1.
$_POST['abc'] = '123';
var_dump($_POST);

// 2.
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
var_dump($_POST);
?>

output:

after // 2. your $_POST will be empty (as the initial POST was empty)

index.php:4:
array (size=1)
'abc' => string '123' (length=3)

index.php:8:null

so be sure, to put

$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING, true);

on the top of your scripts!

Q: did anyone alse notice that behaviour - or did I made an error in reasoning?

Possible Answer: Data are taken from superglobal $_REQUEST an not from $_POST

Codee answered 17/8, 2017 at 10:36 Comment(5)

Nowhere does it say that this has any connection to $_POST whatsoever. – Canada 17/8, 2017 at 10:39

@CBroe The only page I can see that attempts to define INPUT_POST is this list of contants, which just links to the page describing $_POST, so that implies a connection to me. – Revisionist 17/8, 2017 at 10:51

@Revisionist pretty sure there isn’t actually one though. Description for filter_input_vars says, “Gets external variables and optionally filters them” - and to me that simply means that it gets the data from the same source as is used to fill $_POST initially. Manipulating $_POST does not change the data that was originally send. If you test this with a script that receives actual POST data from the outside, and you add an additional entry to $_POST as shown above - then you will only see the original data in the filtered result, but not the one added only to $_POST. – Canada 17/8, 2017 at 11:0

@CBroe If you can confirm that, then that's the answer. It's also something which should be clarified in the documentation, because as I say it's not true that "nowhere" makes that connection, the list of constants very clearly does make such a connection. – Revisionist 17/8, 2017 at 11:13

the INPUT_POST was irritating me, see my -> "Possible Answer:" at the end of the initial article. – Codee 17/8, 2017 at 11:25

There is no direct connection between $_POST, and INPUT_POST.

The latter only specifies that filter_input_vars should get the data to filter from the same source as was used to fill $_POST initially. Later manipulation of $_POST does not change what POST data was send to the script originally.

You can easily verify this by setting up a little form that posts a hidden input field to your script. Then add an additional entry to $_POST in that script, as you did in your example above. You will see that filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING) returns an array that contains the entry for the hidden field, but not one for the entry you added to $_POST manually.

That http://php.net/manual/en/filter.constants.php describes INPUT_POST as “POST variables” and links to the description of $_POST might be a little bit misleading here, granted. But to be fair, it says POST there, and not $_POST.

so be sure, to put $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING, true); on the top of your scripts!

I would not really recommend that. Every PHP developer will assume that $_POST contains unfiltered data. As soon as you f.e. start using 3rd-party modules, that might lead to trouble.

Leaving $_POST as it is, and using a separate variable to hold your filtered POST parameters, is the better way to go IMHO.

Canada answered 17/8, 2017 at 11:29 Comment(0)

Your variable $_POST contains null after that function is executed and assigned to $_POST. From the PHP Manual, null may be returned because the resource on which the function is supposed to work is not defined.

I believe you should investigate either the integrity of your variables or your use of that function.

Masjid answered 17/8, 2017 at 10:49 Comment(1)

can be reproduced with a simple form script which issues a POST request to the server. In this case, the $_POST as well as the ?$_REQUEST are empty. – Codee 17/8, 2017 at 11:36

Recommended topics

Hot tags