This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
INPUT_REQUEST not implemented yet - but NB throws a hint on direct usage of $_REQUEST. So basically, how should I implement $_REQUEST, if I should not use it directly? RIGHT, there is filter_var(); but guess what? It still throws a hint. I saw the report on throwing a hint on the direct usage(234280), but I cannot agree with it. As long as INPUT_REQUEST and INPUT_SESSION is not implemented, there should not be a hint on direct usage. The best possible solution imho would be to test if $_REQUEST or $_SESSION are used in a "filtering function" or not. "Filtering functions" should be filter_*, is_* and isset() Here is a simple sample code for a complete filter_has_var() alternative which should not trigger any hints (at the moment, the line with isset($_REQUEST[$key]) does): /** * Checks if super global contains key * The following values for TYPE are possible: * - INPUT_POST * - INPUT_GET * - INPUT_COOKIE * - INPUT_ENV * - INPUT_SERVER * - INPUT_SESSION * - INPUT_REQUEST * * @param integer $type * @param string $key * @return boolean */ function issetSG($type, $key) { switch($type) { case 'INPUT_SESSION': { $r = isset($_SESSION[$key]); break; } case 'INPUT_REQUEST': { $r = isset($_REQUEST[$key]); break; } default: { $r = filter_has_var($type, $key); break; } } return $r; } Product Version: NetBeans IDE Dev (Build nbms-and-javadoc-1140-on-20140101) Java: 1.7.0_45; Java HotSpot(TM) 64-Bit Server VM 24.45-b08 Runtime: Java(TM) SE Runtime Environment 1.7.0_45-b18 System: Windows 8 version 6.2 running on amd64; Cp1252; de_DE (nb)
Your code doesn't have a problem just with the $_REQUEST, if I rename it to $_POST hint appears too. I have to look at it.
isset() function isn't in our list of validator/filtering functions. It doesn't validates anything, just if "key exists". I can add it but it doesn't say anything about the value of the item - if it's integer, float, or if it's filtered (escaped) etc. It just say that the key exists. And it's not a purpose of this hint. It tries to force you to "be ensure" that the data from that item will be in a form you want - escaped or at least in some proper type. So for me this is invalid, but I'll leave it as P4 and will think about it some day again. Thanks.
Well, with isset you do get a proper type which even cannot be malicious. You get a boolean! I often just need to know, if a variable is set (and I don't even care about the value). This situation should not trigger a hint. Also functions that implement INPUT_REQUEST should not give errors Try for instance $REQUEST = filter_var_array($_REQUEST, $filters); and $_REQUEST will give the hint. But actually I am filtering it in this particular line.