Illegal use of $_SERVER.

[smaz]

Hi
i'm trying to include some my simple function in "includes/functions_posting.php" that requires the $_SERVER['REMOTE_ADDR'] variable.
But the error I get after posting is

Illegal use of $_SERVER. You must use the request class or request_var() to access input data. Found in /home/test/public_html/forum/includes/functions_posting.php on line 1771. This error message was generated by deactivated_super_global.

How can I access to superglobal variables?
thanks!

[nicofuma]

As said in the error message, use the request class and its variable() method (it's the @request service)

[smaz]

please can you make a simple example to get a $_SERVER variable?

[smaz]

i using
$request->server('REMOTE_ADDR') but it doesn't work

[F-3000]

EDIT: Don't use request_var() in 3.1, as it is 3.0 function. Explanation and correct code down below.

Code: Select all

request_var('REMOTE_ADDR','')

Example given,

Code: Select all

$myVar = request_var('REMOTE_ADDR','');

More about how this function works in here:
https://wiki.phpbb.com/Function.request_var


I'm trying to find a way to turn this thing off, because it basically breaks my whole site with assumption that I'm not already checking superglobals that I use. Even more fancy is, that those error-messages shows all the paths to the whole world (look at the example in the first post).

[nicofuma]

You say that's it's not working but what is the problem exactly?

@F-3000 there is a parameter for that, look at the file config/parameters.yml (you can use an extension to override this value)

[Tecwar]

hi,
have a similar problem.
Illegal use of $_POST. You must use the request class or request_var() to access input data. Found in.....

Code: Select all

if (empty($_POST['btn_submit'])) {
    $_POST['btn_submit'] = '';
}

switch ($_POST['btn_submit'])
{
........

could someone please help me with this.thx

[MattF]

could someone please help me with this.thx

https://area51.phpbb.com/docs/31x/codin ... ml#general

[DavidIQ]

You can either add this in your code:

Code: Select all

$request->enable_super_globals();

Or use dependency injection and set core.disable_super_globals to false in either the config/parameters.yml file or in your extension's services.yml file.

We would not allow something like this in our extensions database however so I assume this is for something outside of the approved extensions realm for the reasons specified in the link from VSE.

[martin123456]

Your need to add it like this $request->enable_super_globals();

[marcovo]

Code: Select all

$myVar = request_var('REMOTE_ADDR','');

This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1? Why are all these globals merged into 1 array anyways?

[F-3000]

Code: Select all

$myVar = request_var('REMOTE_ADDR','');

This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1?

I think that super globals are merged last, meaning that the $_GET['REMOTE_ADDR'] is overridden by $_SERVER's value.

Why are all these globals merged into 1 array anyways?

Because someone for some odd reason wanted to simplify things a littlebit too much? If there's a $_GET['value'] and $_POST['value'], you're gona lose either one. Within phpBB-context, this aint gona happen (or it's going to be bug-reported pretty soon), but within CMS-context where phpBB is included, it's very possible.

I personally dislike this change a lot, regardless that I understand it. Super globals themselves are not dangerous. Dangerous is, if coder does not understand that any user input should be treated as dangerous. I, for example, always check any values controllable by the user before utilizing them.

Luckily this change is easily rendered harmless with a single line, without a need to disable it forum-wide. Thanks for that.

[EDIT]
As a sidenote, I'm not talking in a phpBB extension context, rather in regarding utilizing phpBB within main site. I just noticed the area where this thread resides, thus I'm somewhat out of topic, even if my problem had same source. I landed on this thread thru Google.

[Marc]

You can either add this in your code:

Code: Select all

$request->enable_super_globals();

Or use dependency injection and set core.disable_super_globals to false in either the config/parameters.yml file or in your extension's services.yml file.

We would not allow something like this in our extensions database however so I assume this is for something outside of the approved extensions realm for the reasons specified in the link from VSE.

You should never execute the above function call. You can use $request->is_set_post() as mentioned by the link VSE posted.

Code: Select all

$myVar = request_var('REMOTE_ADDR','');

This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1? Why are all these globals merged into 1 array anyways?

That's what happens if you use old code. request_var() is the phpBB 3.0 function. In phpBB 3.1 you should use the request class, in which you can specify which type of variable you want.
For example this for a post variable with multibyte enabled:
$request->variable('my_var', 'default_value', true, \phpbb\request\request_interface::POST);
The last parameter specifies what type of variable you want to retrieve. See available superglobals:
https://github.com/phpbb/phpbb/blob/dev ... st.php#L27

edit:

Regarding the initial question, these 2 calls would work:

Code: Select all

$request->variable('REMOTE_ADDR', '', false, \phpbb\request\request_interface::SERVER);

or

Code: Select all

request_var('REMOTE_ADDR', '', false, false, \phpbb\request\request_interface::SERVER)

[A_Jelly_Doughnut]

This makes me wonder what happens if I request the page index.php?REMOTE_ADDR=127.0.0.1?

I think that super globals are merged last, meaning that the $_GET['REMOTE_ADDR'] is overridden by $_SERVER's value.

Sort of off-topic, but $_SERVER is never merged into $_REQUEST, so there would be no effect from trying to set REMOTE_ADDR in GET/POST data. In phpBB 3.0, you accessed $_SERVER directly and $_REQUEST through request_var().

This is changed in 3.1 as Marc has explained.

[Getekid]

Hello everyone,

I am having a similar problem. I am working on a phpCAS authentication plugin so I have to use the phpCAS libraries which have a few uses of the $_SERVER and $_GET variables. For development purposes I tried to enable them again through $request->enable_global_variables() (so I can work on other parts first), but then I got an $_GET error message!! The method must have worked since initially I was getting an $_SERVER error, but I don't know why I am still getting another one since the enable method was called.

Afterwards I changed the $_GET lines with the $request->variable('myvar', '', false, \phpbb\request\request_interface::GET) but then I got:

Illegal use of $_GET. You must use the request class or request_var() to access input data. Found in /path/phpbb/request/request.php on line 389. This error message was generated by deactivated_super_global.

The aforementioned line is a phpbb core line that goes $var = $this->input[$super_global][$var_name];. The way I understand it this is the secure code that is executed instead of the global one, so it shouldn't get any errors.

What am I doing wrong?
Thanks

EDIT: I moved the enable method from the login form to the class constructor and now no errors appear.