Is it safe to use switch to determine the HTTP method?

Question

I recently read a tutorial (http://code.tutsplus.com/tutorials/a-beginners-guide-to-http-and-rest--net-16340) on determining the HTTP headers to change the action of a script. The tutorial gives an example of a PHP script to accomplish this

$method = $_SERVER['REQUEST_METHOD'];

switch($method) {
  case 'PUT':
    $this->create_contact($name);
  break;

  case 'DELETE':
    $this->delete_contact($name);
  break;

  case 'GET':
    $this->display_contact($name);
  break;

  default:
    header('HTTP/1.1 405 Method Not Allowed');
    header('Allow: GET, PUT, DELETE');
   break;
}

...and mentions

We use a switch statement, which should be avoided in a real application:

Several questions:

1. Why would you avoid using this function?
2. Is there a vulnerability in using the switch statement itself, or is it the $_SERVER variable that makes it vulnerable?
3. An answer in this post (Is $_SERVER['QUERY_STRING'] safe from XSS?) recommends the use of htmlentities to protect $_SERVER values. Is this sufficient?

Thanks very much!

Answer 1

Why would you avoid using this function?

Many programmers would pick their reasons to avoid using "switch" statements, depending on the context.

For instance, a project might have many "switch" statements with duplicated code to do something that would be solved with polymorphism.

The "switch", in this case, is being used to map HTTP methods with callables (except the "default"): you could map http methods to callables that could be replaced in runtime. Python programmers who follow the "pythonic philosophy" use dictionaries to do the same thing that "switch" statements do, but with the ability to change the map in runtime.

Is there a vulnerability in using the switch statement itself, or is it the $_SERVER variable that makes it vulnerable?

No, there aren't vulnerabilities in using "switch" by itself.

You should not thrust the values from $_SERVER because they're input from web clients (usually browsers). A simple "curl" script can send inaccurate or invalid data, such as the IP address, User-agent, the referer, etc. This is useful for web scraping (some websites are implemented to prevent naive scraping).

Check the "filter_input" function to filter values from global variables with input values ($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV).

An answer in this post (Is $_SERVER['QUERY_STRING'] safe from XSS?) recommends the use of htmlentities to protect $_SERVER values. Is this sufficient?

It depends on the context.

For instance, if you want to use it for javascript code, it would not be enough to protect from XSS. In this case, you'd need to to use a function to escape the strings for javascript ("json_encode" might be helpful in this case).

Answer 2

To answer your switch question, the reason for potentially not using it in an application is that it is slower than using if / else if / else -- there are some benchmarks available at PHP Bench that demonstrate this. The performance difference of switch vs if/else is likely to be negligible in comparison to time taken for requests and responses to be sent across a network.

Some programmers think that switch constructs are less legible than if/else -- that is down to personal taste though. There is nothing intrinsically "unsafe" about using switch.

There are a number of existing SO questions that cover sanitising input in PHP, so I suggest you check them out. E.g. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection? and What is the best method for sanitising user input with PHP?