Errors turned up by code analyzer.

[ajoo]

Hi all !

I just passed my code through an analyzer and it showed that a lot of it was not following best practices.

Some examples are below:

1.Direct use of $_SERVER Superglobal detected.

if($_SERVER['REQUEST_METHOD']==="POST"){

if(!isset($_SESSION)) sess_start();

if(isset($_SESSION['timeout'])){

$_SESSION['user']=$user;

2. Direct use of $_POST Superglobal detected.

if(isset($_POST['submit']) && $_POST['submit'] ==='Logoff'){

$_POST = array();

$usertype = fcheckRecruiter($_POST['usertype']);

and many more like these concerning the use of SUPERGLOBALS.

3. Discouraged functions : 

   header(), session_unset(), mysqli_close(), session destroy() & require_once to name a few besides a lot of other common php functions.

header ("Location: donepage.php");

session_unset();

mysqli_close($link);

session_destroy();

Well the question is obviously how to tackle these. The surprising part though is that prior to checking the code by an analyzer, I had no clue, like many other coders on this forum perhaps, especially the newbies, that my code was flawed or at least not following the best practices. I never found a single piece of code on the net, in examples, even in examples in the PHP manual that showed the correct usage of these as per best practices. The most surprising of these were of course the SUPERGLOBALS since they are used everywhere and by almost everybody.

Googling the internet shows that hardly anyone is clear about these. People are debating on the direct usage of suberglobals where they are used for checking the existence of the variable. So it's all very moot and very grey it seems.

Then there are common functions some of which i mentioned above. For example how would I reset the super global $_POST if not by setting it to a blank array?

$_POST = array();

Why are these functions, enlisted above,  being discouraged from use and what and how should the alternate functions be used ? How to achieve the same functionality in an alternate way?

For the use of superglobals I found that it's proposed to use the filters or filter functions to sanatise or validate the input. If i recall correct, Guru Jacques strongly advised against sanitizing any user input. While I can understand validation of user input, sanitization of it seems to be wrong ??

I would be very grateful if someone can shed some light on these very basic and important questions and provide, if possible, some examples of the correct method of using these in code.

Thanks all !

[NotionCommotion]

What "code analyzer" did you use?  If it was part of some framework, then it is implying that you should use the framework methods to access superglobals, set headers, etc.  Regarding a few of its other recommendations:

1. require_once.  While in the past I often used this, it has been quite a while.  Use an autoloader instead and composer whenever applicable.
2. $_POST = array().  With the exception of $_SESSION, I don't think there would ever be a good reason to modify a super global.  Global variables whether global by nature or defined so by the developer become a troubleshooting nightmare if they ever have multiple states 
3. mysqli_close.  Use PDO instead.

[ajoo]

Hi NotionCommotion,

The code analyzer I used is codacy. It's a static code analyzer. I do not think it is using any framework and I am not using any framework for my code either.

Quote

Use an autoloader instead and composer whenever applicable.

I have never used any autoloader ever & have no idea about it. I have also never tried composer either. Are these not to be used with frameworks ? Or can I use them in my project which uses no framework or OOPS? If so , then a small example of their usage would be great and get me going.

$_POST = array();   $_SESSION() = array();

I have used these just before destroying a session and logging out a user out.

mysqli_close.

I have used prepared statements throughout.

Thanks for the response. I hope some more inputs on this will follow till something concrete can be used to replace the faulty code or it be proved that some of the errors may be superfluous & the code may be used safely as is.

Thanks !

 

 

 

[ajoo]

Hi all ! 

Just nudging this once again in hope of some more replies and thus some more information on this , I think, rather critical issue, which I am sure lots of coders become aware of rather late in the day !! 

Thank you all !