Hello,
First of all, thank you for the quality library. I rarely have such a high confidence level for a PHP library after perusing its code.
This is probably a nitpick, but I notice that in the constructor of the AntiCSRF class, both $post and $server are passed by reference. However, there seems to be no code which writes to these variables. This is misleading, because usually passing by reference in PHP is a way to inform users of a class that the value will get mutated.
I think this is important because in some execution environments (for example: automated tests), $_SERVER will not contain the expected information such as REMOTE_ADDR or REQUEST_URI. As such, I need to know that it's okay to simply pass a made-up array that simulates the structure of $_SERVER without impacting the functionality of the library. But the pass-by-reference semantics gives me the opposite impression.
I believe only $session should be passed by reference in the constructor of AntiCSRF.
Hello,
First of all, thank you for the quality library. I rarely have such a high confidence level for a PHP library after perusing its code.
This is probably a nitpick, but I notice that in the constructor of the AntiCSRF class, both
$postand$serverare passed by reference. However, there seems to be no code which writes to these variables. This is misleading, because usually passing by reference in PHP is a way to inform users of a class that the value will get mutated.I think this is important because in some execution environments (for example: automated tests),
$_SERVERwill not contain the expected information such asREMOTE_ADDRorREQUEST_URI. As such, I need to know that it's okay to simply pass a made-up array that simulates the structure of$_SERVERwithout impacting the functionality of the library. But the pass-by-reference semantics gives me the opposite impression.I believe only
$sessionshould be passed by reference in the constructor of AntiCSRF.