Illegal use of $_SERVER.

Discussion forum for Extension Writers regarding Extension Development.
smaz
Registered User
Posts: 19
Joined: Tue Aug 25, 2009 3:41 pm

Illegal use of $_SERVER.

Post by smaz » Sat Nov 01, 2014 10:44 am

Hi
i'm trying to include some my simple function in "includes/functions_posting.php" that requires the $_SERVER['REMOTE_ADDR'] variable.
But the error I get after posting is
Illegal use of $_SERVER. You must use the request class or request_var() to access input data. Found in /home/test/public_html/forum/includes/functions_posting.php on line 1771. This error message was generated by deactivated_super_global.
How can I access to superglobal variables?
thanks!
Last edited by Oyabun1 on Sat Nov 01, 2014 11:46 am, edited 1 time in total.
Reason: Moved from 3.1.x Support forum

nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 546
Joined: Sun Apr 13, 2014 1:47 am
Location: Grenoble - France

Re: Illegal use of $_SERVER.

Post by nicofuma » Sat Nov 01, 2014 11:54 am

As said in the error message, use the request class and its variable() method (it's the @request service)
Member of phpBB Development-Team
No Support via PM

smaz
Registered User
Posts: 19
Joined: Tue Aug 25, 2009 3:41 pm

Re: Illegal use of $_SERVER.

Post by smaz » Sat Nov 01, 2014 1:19 pm

please can you make a simple example to get a $_SERVER variable?

smaz
Registered User
Posts: 19
Joined: Tue Aug 25, 2009 3:41 pm

Re: Illegal use of $_SERVER.

Post by smaz » Sat Nov 01, 2014 2:45 pm

i using
$request->server('REMOTE_ADDR') but it doesn't work

F-3000
Registered User
Posts: 19
Joined: Wed Aug 05, 2009 3:50 pm

Re: Illegal use of $_SERVER.

Post by F-3000 » Tue Nov 04, 2014 12:48 pm

EDIT: Don't use request_var() in 3.1, as it is 3.0 function. Explanation and correct code down below.

Code: Select all

request_var('REMOTE_ADDR','')
Example given,

Code: Select all

$myVar = request_var('REMOTE_ADDR','');
More about how this function works in here:
https://wiki.phpbb.com/Function.request_var


I'm trying to find a way to turn this thing off, because it basically breaks my whole site with assumption that I'm not already checking superglobals that I use. Even more fancy is, that those error-messages shows all the paths to the whole world (look at the example in the first post).
Last edited by F-3000 on Thu Oct 29, 2015 12:27 pm, edited 1 time in total.

nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 546
Joined: Sun Apr 13, 2014 1:47 am
Location: Grenoble - France

Re: Illegal use of $_SERVER.

Post by nicofuma » Tue Nov 04, 2014 1:04 pm

You say that's it's not working but what is the problem exactly?

@F-3000 there is a parameter for that, look at the file config/parameters.yml (you can use an extension to override this value)
Member of phpBB Development-Team
No Support via PM

Tecwar
Registered User
Posts: 42
Joined: Mon Jun 25, 2007 4:45 pm

Re: Illegal use of $_SERVER.

Post by Tecwar » Tue Nov 04, 2014 3:27 pm

hi,
have a similar problem.
Illegal use of $_POST. You must use the request class or request_var() to access input data. Found in.....

Code: Select all

if (empty($_POST['btn_submit'])) {
    $_POST['btn_submit'] = '';
}

switch ($_POST['btn_submit'])
{
........
could someone please help me with this.thx

User avatar
VSE
Extensions Development Coordinator
Extensions Development Coordinator
Posts: 4681
Joined: Sat Jan 17, 2009 9:37 am
Location: Los Angeles, CA
Name: Matt Friedman
Contact:

Re: Illegal use of $_SERVER.

Post by VSE » Tue Nov 04, 2014 4:48 pm

Tecwar wrote:could someone please help me with this.thx
https://area51.phpbb.com/docs/31x/codin ... ml#general
Dictated but not read.
Official phpBB Extensions My Extensions & MODs
Please do not PM me for support.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 16730
Joined: Thu Jan 06, 2005 1:30 pm
Location: Fishkill, NY
Name: David Colón
Contact:

Re: Illegal use of $_SERVER.

Post by DavidIQ » Tue Nov 04, 2014 4:49 pm

You can either add this in your code:

Code: Select all

$request->enable_super_globals();
Or use dependency injection and set core.disable_super_globals to false in either the config/parameters.yml file or in your extension's services.yml file.

We would not allow something like this in our extensions database however so I assume this is for something outside of the approved extensions realm for the reasons specified in the link from VSE.
Apply to become a Jr. Extension Validator
My extensions | In need of phpBB services? | Was I helpful today?
No unsolicited PMs unless you're planning on asking for paid help.

User avatar
martin123456
I've Been Banned!
Posts: 726
Joined: Sat Mar 05, 2011 7:44 pm

Re: Illegal use of $_SERVER.

Post by martin123456 » Tue Nov 04, 2014 5:35 pm

Your need to add it like this $request->enable_super_globals();

Code: Select all

<!-- IF S_CODE_UNTIDY and S_MESS_ON_INDEX Good If_Not_TIDY_Then_SUBMIT -->

marcovo
Registered User
Posts: 239
Joined: Fri Nov 16, 2012 12:19 pm
Location: The Netherlands
Name: Marco

Re: Illegal use of $_SERVER.

Post by marcovo » Tue Nov 04, 2014 5:58 pm

F-3000 wrote:

Code: Select all

$myVar = request_var('REMOTE_ADDR','');
This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1? Why are all these globals merged into 1 array anyways?

F-3000
Registered User
Posts: 19
Joined: Wed Aug 05, 2009 3:50 pm

Re: Illegal use of $_SERVER.

Post by F-3000 » Thu Nov 06, 2014 8:17 am

marcovo wrote:
F-3000 wrote:

Code: Select all

$myVar = request_var('REMOTE_ADDR','');
This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1?
I think that super globals are merged last, meaning that the $_GET['REMOTE_ADDR'] is overridden by $_SERVER's value.
marcovo wrote:Why are all these globals merged into 1 array anyways?
Because someone for some odd reason wanted to simplify things a littlebit too much? If there's a $_GET['value'] and $_POST['value'], you're gona lose either one. Within phpBB-context, this aint gona happen (or it's going to be bug-reported pretty soon), but within CMS-context where phpBB is included, it's very possible.

I personally dislike this change a lot, regardless that I understand it. Super globals themselves are not dangerous. Dangerous is, if coder does not understand that any user input should be treated as dangerous. I, for example, always check any values controllable by the user before utilizing them.

Luckily this change is easily rendered harmless with a single line, without a need to disable it forum-wide. Thanks for that. :)

[EDIT]
As a sidenote, I'm not talking in a phpBB extension context, rather in regarding utilizing phpBB within main site. I just noticed the area where this thread resides, thus I'm somewhat out of topic, even if my problem had same source. I landed on this thread thru Google.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5334
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: Illegal use of $_SERVER.

Post by Marc » Sun Nov 09, 2014 1:53 pm

DavidIQ wrote:You can either add this in your code:

Code: Select all

$request->enable_super_globals();
Or use dependency injection and set core.disable_super_globals to false in either the config/parameters.yml file or in your extension's services.yml file.

We would not allow something like this in our extensions database however so I assume this is for something outside of the approved extensions realm for the reasons specified in the link from VSE.
You should never execute the above function call. You can use $request->is_set_post() as mentioned by the link VSE posted.
marcovo wrote:
F-3000 wrote:

Code: Select all

$myVar = request_var('REMOTE_ADDR','');
This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1? Why are all these globals merged into 1 array anyways?
That's what happens if you use old code. request_var() is the phpBB 3.0 function. In phpBB 3.1 you should use the request class, in which you can specify which type of variable you want.
For example this for a post variable with multibyte enabled:
$request->variable('my_var', 'default_value', true, \phpbb\request\request_interface::POST);
The last parameter specifies what type of variable you want to retrieve. See available superglobals:
https://github.com/phpbb/phpbb/blob/dev ... st.php#L27

edit:

Regarding the initial question, these 2 calls would work:

Code: Select all

$request->variable('REMOTE_ADDR', '', false, \phpbb\request\request_interface::SERVER);
or

Code: Select all

request_var('REMOTE_ADDR', '', false, false, \phpbb\request\request_interface::SERVER)

User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34452
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Re: Illegal use of $_SERVER.

Post by A_Jelly_Doughnut » Mon Nov 10, 2014 9:55 pm

F-3000 wrote:
marcovo wrote: This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1?
I think that super globals are merged last, meaning that the $_GET['REMOTE_ADDR'] is overridden by $_SERVER's value.
Sort of off-topic, but $_SERVER is never merged into $_REQUEST, so there would be no effect from trying to set REMOTE_ADDR in GET/POST data. In phpBB 3.0, you accessed $_SERVER directly and $_REQUEST through request_var().

This is changed in 3.1 as Marc has explained.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish

Getekid
Registered User
Posts: 5
Joined: Sun Jan 13, 2013 3:13 pm
Name: Thomas Pappas
Contact:

Re: Illegal use of $_SERVER.

Post by Getekid » Sat Dec 27, 2014 11:32 am

Hello everyone,

I am having a similar problem. I am working on a phpCAS authentication plugin so I have to use the phpCAS libraries which have a few uses of the $_SERVER and $_GET variables. For development purposes I tried to enable them again through $request->enable_global_variables() (so I can work on other parts first), but then I got an $_GET error message!! The method must have worked since initially I was getting an $_SERVER error, but I don't know why I am still getting another one since the enable method was called.

Afterwards I changed the $_GET lines with the $request->variable('myvar', '', false, \phpbb\request\request_interface::GET) but then I got:
Illegal use of $_GET. You must use the request class or request_var() to access input data. Found in /path/phpbb/request/request.php on line 389. This error message was generated by deactivated_super_global.
The aforementioned line is a phpbb core line that goes $var = $this->input[$super_global][$var_name];. The way I understand it this is the secure code that is executed instead of the global one, so it shouldn't get any errors.

What am I doing wrong?
Thanks

EDIT: I moved the enable method from the login form to the class constructor and now no errors appear.

Post Reply

Return to “Extension Writers Discussion”

Who is online

Users browsing this forum: AmigoJack, kasimi, Mannix_ and 192 guests