KSST / KF

framework/Koch/Http/HttpRequest.php

<?php

/**
 * Koch Framework
 * Jens-André Koch © 2005 - onwards.
 *
 * This file is part of "Koch Framework".
 *
 * License: GNU/GPL v2 or any later version, see LICENSE file.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

namespace Koch\Http;

/**
 * Koch Framework - Class for Request Handling.
 *
 * It encapsulates the access to sanitized superglobals ($_GET, $_POST, $_SERVER).
 * There are two ways of access (1) via methods && (2) via spl arrayaccess array handling.
 */
class HttpRequest implements HttpRequestInterface, \ArrayAccess
{
    /**
     * @var array Contains the cleaned Parameters.
     */
    private $post_parameters;

$post_parameters does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

    /**
     * @var array Contains the cleaned Parameters.
     */
    private $get_parameters;

$get_parameters does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

    /**
     * @var array Contains the cleaned Parameters.
     */
    private $cookie_parameters;

$cookie_parameters does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

    /**
     * @var The requestmethod. Possible values are GET, POST, PUT, DELETE.
     */
    protected static $request_method;

$request_method does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

    /**
     * @var string the base URL (protocol://server:port)
     */
    protected static $baseURL;

    /**
     * @var object Object with pieces of informations about the target route.
     */
    private $route;

    /**
     * Construct the Request Object.
     *
     * 1) Drop Superglobal $_REQUEST. Just hardcoded reminder for developers to not use it!
     * 2) Additional Security Checks
     * 3) Clear Array, Filter and Assign the $_REQUEST Global to it
     * 4) Detect REST Tunneling through POST and set request_method accordingly
     */
    public function __construct()

__construct uses the super-global variable $_REQUEST which is generally not recommended.

__construct uses the super-global variable $_SERVER which is generally not recommended.

__construct uses the super-global variable $_GET which is generally not recommended.

__construct uses the super-global variable $_POST which is generally not recommended.

__construct uses the super-global variable $_COOKIE which is generally not recommended.

    {
        // 1) Drop $_REQUEST and $GLOBALS. Usage is forbidden!
        unset($_REQUEST);
        //unset($GLOBALS);

        /*
         * 2) Additional Security Checks
         */

        // block XSS
        $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
        if (isset($_SERVER['QUERY_STRING'])) {
            htmlspecialchars($_SERVER['QUERY_STRING']);
        }

        /*
         * 3) Init Parameter Arrays and Assign the GLOBALS
         */

        // Clear Parameters Array
        $this->get_parameters    = [];
        $this->post_parameters   = [];
        $this->cookie_parameters = [];

        // Assign the GLOBALS $_GET, $_POST, $_COOKIE

36% of this comment could be valid code. Did you maybe forget this after debugging?

        $this->get_parameters    = $_GET;
        $this->post_parameters   = $_POST;
        $this->cookie_parameters = $_COOKIE;

        /*
         * 4) Detect REST Tunneling through POST and set request_method accordingly
         */
        $this->detectRESTTunneling();
    }

    /**
     * Returns the raw POST Parameters Array.
     * Raw means: no validation, no filtering, no sanitization.
     *
     * @return array POST Parameters Array.
     */
    public function getPost()
    {
        return $this->post_parameters;
    }

    /**
     * Returns the HTTP POST data in raw format via Stream.
     *
     * @return string HTTP POST data (raw).
     */
    public function getPostRaw()
    {
        return file_get_contents('php://input');
    }

    /**
     * Returns the raw GET Parameters Array.
     * Raw means: no validation, no filtering, no sanitization.
     *
     * @return array GET Parameters Array.
     */
    public function getGet()
    {
        return $this->get_parameters;
    }

    /**
     * Returns the COOKIES Parameters Array.
     * Raw means: no validation, no filtering, no sanitization.
     *
     * @return array COOKIES Parameters Array.
     */
    public function getCookies()
    {
        return $this->cookie_parameters;
    }

    public function getServer()

The return type could not be reliably inferred; please add a @return annotation.

getServer uses the super-global variable $_SERVER which is generally not recommended.

    {
        return $_SERVER;
    }

    /**
     * expectParameters.
     *
     * a) isset test          -  to determine if the parameter is incomming
     * b) exception throwing  -  if parameter is not incomming, but expected
     *
     * @todo c) validation          -  validates the incomming parameter via rules
     *
     * $parameters array structure:
     * $parameters = array(
     *  'parametername' => array (      // parametername as key for rules array
     *      'source',                   // (GET|POST)
     *      'validation-rule'
     * );
     * 'modulename' => array ('GET', 'string|lowercase')
     *
     * @example
     * // parameter names only
     * $this->expectParameters(array('modulename','language'));
     * // parameters, one with rules
     * // parameters, all with rules
     *
     * @param array $parameters
     */
    public function expectParameters(array $parameters)
    {
        foreach ($parameters as $parameter => $array_or_parametername) {

$array_or_parametername does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

            /*
             * check if we have some rules to process
             */
            if (true === is_array($array_or_parametername)) {

$array_or_parametername does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

                $array_name = $array_or_parametername[0];      // GET|POST|COOKIE

$array_name does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

                #$validation_rules   = $array_or_parametername[1];      // some validation commands

60% of this comment could be valid code. Did you maybe forget this after debugging?

                /*
                 * ISSET or Exception
                 */
                $this->expectParameter($parameter, $array_name);

$array_name does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

                /*
                 * VALID or Exception
                 */
                #$this->validateParameter($parameter, $validation_rules);

80% of this comment could be valid code. Did you maybe forget this after debugging?

            } else { // if(is_int($array_or_parametername))

75% of this comment could be valid code. Did you maybe forget this after debugging?

                $this->expectParameter($array_or_parametername);

$array_or_parametername does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

            }
        }
    }

    /**
     * This method ensures that all the parameters you are expecting
     * and which are required by your action are really incomming with the request.
     * It's a multiple call to issetParameter(), with the difference,
     * that it throws an Exception if not isset!
     *
     * a) isset test          -  to determine if the parameter is incomming
     * b) exception throwing  -  if parameter is not incomming, but expected
     *
     * @param string $parameter
     * @param string $array     (GET|POST|COOKIE)
     */
    public function expectParameter($parameter, $array = '')
    {
        // when array is not defined issetParameter will searches (POST|GET|COOKIE)
        if (is_string($array)) {
            if (false === $this->issetParameter($parameter)) {
                throw new \Koch\Exception\Exception('Incoming Parameter missing: "' . $parameter . '".');
            }
        } else { // when array is defined issetParameter will search the given array
            if (false === $this->issetParameter($parameter, $array)) {
                throw new \Koch\Exception\Exception(
                    'Incoming Parameter missing: "' . $parameter . '" in Array "' . $array . '".'
                );
            }
        }
    }

    /**
     * isset, checks if a certain parameter exists in the parameters array.
     *
     * @param string $parameter Name of the Parameter
     * @param string $array     GET, POST, COOKIE. Default = GET.
     * @param bool   $where     If set to true, method will return the name of the array the parameter was found in.
     *
     * @return string boolean string arrayname

Should the return type not be boolean|string|null?

     */
    public function issetParameter($parameter, $array = 'GET', $where = false)
    {
        $array = mb_strtoupper($array);

        switch ($array) {
            case 'GET':
                if (isset($this->get_parameters[$parameter])) {
                    return ($where === false) ? true : 'get';

The expression $where === false ? true : 'get'; of type boolean|string adds the type boolean to the return on line 250 which is incompatible with the return type declared by the interface Koch\Http\HttpRequestInterface::issetParameter of type string.

                }
                break;
            case 'POST':
                if (isset($this->post_parameters[$parameter])) {
                    return ($where === false) ? true : 'post';

The expression $where === false ? true : 'post'; of type boolean|string adds the type boolean to the return on line 255 which is incompatible with the return type declared by the interface Koch\Http\HttpRequestInterface::issetParameter of type string.

                }
                break;
            case 'COOKIE':
                if (isset($this->cookie_parameters[$parameter])) {
                    return ($where === false) ? true : 'cookie';

The expression $where === false ? true : 'cookie'; of type boolean|string adds the type boolean to the return on line 260 which is incompatible with the return type declared by the interface Koch\Http\HttpRequestInterface::issetParameter of type string.

                }
                break;
            default:
                return false;

The return type of return false; (false) is incompatible with the return type declared by the interface Koch\Http\HttpRequestInterface::issetParameter of type string.

                break;

break is not strictly necessary here and could be removed.

        }
    }

    /**
     * get, returns a certain parameter if existing.
     *
     * @param string $parameter Name of the Parameter
     * @param string $array     GET, POST, COOKIE. Default = POST.
     * @param string $default   You can set a default value. It's returned if parametername was not found.

Should the type for parameter $default not be string|null?

     *
     * @return mixed data | null
     */
    public function getParameter($parameter, $array = 'POST', $default = null)
    {
        /*
         * check if the parameter exists in $array
         * the third property of issetParameter is set to true, so that we get the full and correct array name back
         */
        $parameter_array = $this->issetParameter($parameter, $array, true);

$parameter_array does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

        /*
         * we use type hinting here to cast the string with array name to boolean
         */
        if ((bool) $parameter_array === true) {

$parameter_array does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

            // this returns a value from the parameterarray
            return $this->{mb_strtolower($parameter_array) . '_parameters'}[$parameter];

$parameter_array does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

        } elseif ($default !== null) {
            // this returns the default value,incomming via method property $default
            return $default;
        } else {
            return;
        }
    }

    /**
     * set, returns a certain parameter if existing.
     *
     * @param string $parameter Name of the Parameter
     * @param string $array     G, P, C. Default = POST.
     *
     * @return mixed data | null
     */
    public function setParameter($parameter, $array = 'POST')
    {
        if (true === $this->issetParameter($parameter, $array)) {
            return $this->{mb_strtolower($array) . '_parameters'}[$parameter];
        } else {
            return;
        }
    }

    /**
     * Shortcut to get a Parameter from $_POST.
     *
     * @param string $name Name of the Parameter
     *
     * @return mixed data | null
     */
    public function getParameterFromPost($name)
    {
        return $this->getParameter($name, 'POST');
    }

    /**
     * Shortcut to get a Parameter from $_GET.
     *
     * @param string $name Name of the Parameter
     *
     * @return mixed data | null
     */
    public function getParameterFromGet($name)
    {
        return $this->getParameter($name, 'GET');
    }

    /**
     * Shortcut to get a Parameter from $_SERVER.
     *
     * @param string $name Name of the Parameter
     *
     * @return mixed data | null
     */
    public function getParameterFromServer($name)

getParameterFromServer uses the super-global variable $_SERVER which is generally not recommended.

    {
        if (in_array($name, array_keys($_SERVER), true)) {
            return $_SERVER[$name];
        } else {
            return;
        }
    }

    /**
     * Get previously set cookies.
     *
     * @param string $name Name of the Cookie
     *
     * @return Returns an associative array containing any previously set cookies.
     */
    public function getParameterFromCookie($name)
    {
        if (isset($this->cookie_parameters[$name]) === true) {
            return $this->cookie_parameters($name);

The method cookie_parameters() does not seem to exist on object<Koch\Http\HttpRequest>.

        }
    }

    /**
     * Get Value of a specific http-header.
     *
     * @param string $parameter Name of the Parameter
     *
     * @return string
     */
    public static function getHeader($parameter)

getHeader uses the super-global variable $_SERVER which is generally not recommended.

    {
        $parameter = 'HTTP_' . mb_strtoupper(str_replace('-', '_', $parameter));

        if ($_SERVER[$parameter] !== null) {
            return $_SERVER[$parameter];
        }

        return;
    }

    /**
     * Determine Type of Protocol for Webpaths (http/https)
     * Get for $_SERVER['HTTPS'].
     *
     * @todo check $_SERVER['SSL_PROTOCOL'] + $_SERVER['HTTP_X_FORWARD_PROTO']?
     * @todo check -> or $_SERVER['SSL_PROTOCOL']
     *
     * @return string
     */
    public static function getServerProtocol()
    {
        if (self::isSecure()) {
            return 'https://';
        } else {
            return 'http://';
        }
    }

    /**
     * Determine Type of Protocol for Webpaths (http/https)
     * Get for $_SERVER['HTTPS'] with boolean return value.
     *
     * @todo check about $_SERVER['SERVER_PORT'] == 443, is this always ssl then?
     *
     * @see $this->getServerProtocol()
     *
     * @return bool
     */
    public static function isSecure()

isSecure uses the super-global variable $_SERVER which is generally not recommended.

    {
        if (isset($_SERVER['HTTPS']) && (mb_strtolower($_SERVER['HTTPS']) === 'on' or $_SERVER['HTTPS'] === '1')) {

Using logical operators such as or instead of || is generally not recommended.

The if-else statement can be simplified to return isset($_SERVER['HTTPS']) && (mb_strtolower($_SERVER['HTTPS']) === 'on' or $_SERVER['HTTPS'] === '1');.

            return true;
        } else {
            return false;
        }
    }

    /**
     * Determine Port Number for Webpaths (http/https)
     * Get for $_SERVER['SERVER_PORT'] and $_SERVER['SSL_PROTOCOL'].
     *
     * @return string

Should the return type not be string|null?

     */
    private static function getServerPort()

getServerPort uses the super-global variable $_SERVER which is generally not recommended.

    {
        // custom port
        if (self::isSecure() === false and $_SERVER['SERVER_PORT'] !== 80) {

Using logical operators such as and instead of && is generally not recommended.

            return ':' . $_SERVER['SERVER_PORT'];
        }

        // custom ssl port
        if (self::isSecure() && $_SERVER['SERVER_PORT'] !== 443) {
            return ':' . $_SERVER['SERVER_PORT'];
        }
    }

    /**
     * Returns the base of the current URL
     * Format: protocol://server:port.
     *
     * The "template constant"" WWW_ROOT is later defined as getBaseURL
     * <form action="<?=WWW_ROOT?>/news/7" method="DELETE"/>
     *
     * @return string
     */
    public static function getBaseURL()
    {
        if (empty(self::$baseURL)) {
            // 1. Determine Protocol
            self::$baseURL = self::getServerProtocol();

            // 2. Determine Servername
            self::$baseURL .= self::getServerName();

            // 3. Determine Port
            self::$baseURL .= self::getServerPort();
        }

        return self::$baseURL;
    }

    /**
     * Get $_SERVER SERVER_NAME.
     *
     * @return string The name of the server host under which the current script is executing.
     */
    public static function getServerName()

getServerName uses the super-global variable $_SERVER which is generally not recommended.

    {
        return $_SERVER['SERVER_NAME'];
    }

    /**
     * Get $_SERVER REQUEST_URI.
     *
     * @return string The URI which was given in order to access this page; for instance, '/index.html'.
     */
    public static function getRequestURI()

getRequestURI uses the super-global variable $_SERVER which is generally not recommended.

    {
        if ($_SERVER['REQUEST_URI'] !== null) {
            return urldecode(mb_strtolower($_SERVER['REQUEST_URI']));
        }

        // MS-IIS and ISAPI Rewrite Filter (only on windows platforms)
        if (isset($_SERVER['HTTP_X_REWRITE_URL']) and stripos(PHP_OS, 'WIN') !== false) {

Using logical operators such as and instead of && is generally not recommended.

            return urldecode(mb_strtolower($_SERVER['HTTP_X_REWRITE_URL']));
        }

        $p = $_SERVER['SCRIPT_NAME'];
        if ($_SERVER['QUERY_STRING'] !== null) {
            $p .= '?' . $_SERVER['QUERY_STRING'];
        }

        return urldecode(mb_strtolower($p));
    }

    /**
     * Get $_SERVER REMOTE_URI.
     *
     * @return string
     */
    public static function getRemoteURI()

getRemoteURI uses the super-global variable $_SERVER which is generally not recommended.

    {
        return $_SERVER['REMOTE_URI'];
    }

    /**
     * Get $_SERVER QUERY_STRING.
     *
     * @return string The query string via which the page was accessed.
     */
    public static function getQueryString()

getQueryString uses the super-global variable $_SERVER which is generally not recommended.

    {
        return $_SERVER['QUERY_STRING'];
    }

    /**
     * Get the current Url.
     *
     * @return string Returns the current URL, which is the HOST + REQUEST_URI, without index.php.
     */
    public static function getCurrentUrl()

getCurrentUrl uses the super-global variable $_SERVER which is generally not recommended.

    {
        return str_replace('/index.php', '', 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    }

    /**
     * Get IP = $_SERVER REMOTE_ADDRESS.
     *
     * @return string The IP/HOST from which the user is viewing the current page.
     */
    public static function getRemoteAddress()

getRemoteAddress uses the super-global variable $_SERVER which is generally not recommended.

    {
        $ip = null;

$ip is not used, you could remove the assignment.

        if ($_SERVER['HTTP_CLIENT_IP'] !== null) {
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        } elseif ($_SERVER['HTTP_X_FORWARDED_FOR'] !== null) {
            $ip = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
            $ip = array_pop($ip);
        } elseif ($_SERVER['HTTP_X_REAL_IP'] !== null) {
            // NGINX - with natural russian config passes the IP as REAL_IP
            $ip = $_SERVER['HTTP_X_REAL_IP'];
        } elseif ($_SERVER['HTTP_FORWARDED_FOR'] !== null) {
            $ip = $_SERVER['HTTP_FORWARDED_FOR'];
        } elseif ($_SERVER['HTTP_CLIENT_IP'] !== null) {
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        } elseif ($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] !== null) {
            $ip = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
        } elseif ($_SERVER['HTTP_FORWARDED'] !== null) {
            $ip = $_SERVER['HTTP_FORWARDED'];
        } elseif ($_SERVER['HTTP_X_FORWARDED'] !== null) {
            $ip = $_SERVER['HTTP_X_FORWARDED'];
        } else {
            $ip = $_SERVER['REMOTE_ADDR'];
        }

        if (true === self::validateIP($ip)) {
            return $ip;
        }
    }

    /**
     * Returns the User Agent ($_SERVER HTTP_USER_AGENT).
     *
     * @return string String denoting the user agent being which is accessing the page.
     */
    public static function getUserAgent()

This method seems to be duplicated in your project.

getUserAgent uses the super-global variable $_SERVER which is generally not recommended.

    {
        $ua          = strip_tags($_SERVER['HTTP_USER_AGENT']);
        $ua_filtered = filter_var($ua, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);

$ua_filtered does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

        return $ua_filtered;

$ua_filtered does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

    }

    /**
     * Returns the Referrer ($_SERVER HTTP_REFERER).
     *
     * @return string The address of the page (if any) which referred the user agent to the current page.
     */
    public static function getReferer()

This method seems to be duplicated in your project.

getReferer uses the super-global variable $_SERVER which is generally not recommended.

    {
        if ($_SERVER['HTTP_REFERER'] !== null) {
            $refr          = strip_tags($_SERVER['HTTP_REFERER']);
            $refr_filtered = filter_var($refr, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);

$refr_filtered does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

        }

        return $refr_filtered;

$refr_filtered does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

The variable $refr_filtered does not seem to be defined for all execution paths leading up to this point.

    }

    /**
     * Validates a given IP.
     *
     * @see getRemoteAddress()
     *
     * @param string $ip   The IP address to validate.
     * @param boolen $ipv6 Boolean true, activates ipv6 checking.

Should the type for parameter $ipv6 not be false|boolen?

     *
     * @return bool True, if IP is valid. False, otherwise.
     */
    public static function validateIP($ip, $ipv6 = false)

function validateIP() does not seem to conform to the naming convention (^(?:is|has|should|may|supports)).

    {
        if (true === $ipv6) {
            return (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE);
        } else {
            return (bool) filter_var(
                $ip,
                FILTER_VALIDATE_IP,
                FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_IPV4
            );
        }
    }

    /**
     * Get Route returns the static \Koch\Router\TargetRoute object.
     *
     * With php onbord tools you can't debug this.
     * Please use \Koch\Debug\Debug:firebug($route); to debug.
     * Firebug uses Reflection to show the static properties and values.
     *
     * @return object \Koch\Router\TargetRoute
     */
    public function getRoute()
    {
        return $this->route;
    }

    /**
     * Set Route Object.
     *
     * @param $route \Koch\Router\TargetRoute
     */
    public function setRoute(\Koch\Router\TargetRoute $route)
    {
        $this->route = $route;
    }

    /**
     * REST Tunneling Detection.
     *
     * This method takes care for REST (Representational State Transfer)
     * by tunneling PUT, DELETE through POST (principal of least power).
     * Ok, this is faked or spoofed REST, but lowers the power of POST
     * and it's short and nice in html forms.
     *
     * @todo consider allowing 'GET' through POST?
     *
     * @see https://wiki.nbic.nl/index.php/REST.inc
     * @see http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
     */
    public function detectRESTTunneling()

detectRESTTunneling uses the super-global variable $_SERVER which is generally not recommended.

detectRESTTunneling uses the super-global variable $_GET which is generally not recommended.

    {
        $allowed_rest_methodnames = ['DELETE', 'PUT'];

$allowed_rest_methodnames does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

        // request_method has to be POST AND GET has to to have the method GET
        if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST'
            and $this->issetParameter('GET', 'method')) {

Using logical operators such as and instead of && is generally not recommended.

            // check for allowed rest commands
            if (in_array(mb_strtoupper($_GET['method']), $allowed_rest_methodnames, true)) {

$allowed_rest_methodnames does not seem to conform to the naming convention (^[a-z][a-zA-Z0-9]*$).

                // set the internal (tunneled) method as new REQUEST_METHOD
                self::setRequestMethod($_GET['method']);

                // unset the tunneled method
                unset($_GET['method']);

                // now strip the methodname from the QUERY_STRING and rebuild REQUEST_URI

                // rebuild the QUERY_STRING from $_GET
                $_SERVER['QUERY_STRING'] = http_build_query($_GET);
                // rebuild the REQUEST_URI
                $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'];
                // append QUERY_STRING to REQUEST_URI if not empty
                if ($_SERVER['QUERY_STRING'] !== '') {
                    $_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
                }
            } else {
                throw new \Koch\Exception\Exception(
                    'Request Method failure. You tried to tunnel a ' . $this->getParameter('method', 'GET')
                    . ' request through an HTTP POST request.'
                );
            }
        } elseif (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'GET'
            and $this->issetParameter('GET', 'method')) {

Using logical operators such as and instead of && is generally not recommended.

            // NOPE, there's no tunneling through GET!
            throw new \Koch\Exception\Exception(
                'Request Method failure. You tried to tunnel a ' . $this->getParameter('method', 'GET')
                . ' request through an HTTP GET request.'
            );
        }
    }

    /**
     * Get the REQUEST METHOD (GET, HEAD, POST, PUT, DELETE).
     *
     * HEAD request is returned internally as GET.
     * The internally set request_method (PUT or DELETE) is returned first,
     * because we might have a REST-tunneling.
     *
     * @return string request method
     */
    public static function getRequestMethod()

getRequestMethod uses the super-global variable $_SERVER which is generally not recommended.

    {
        if (self::$request_method !== null) {
            return self::$request_method;

The return type of return self::$request_method; (Koch\Http\The) is incompatible with the return type declared by the interface Koch\Http\HttpRequestInterface::getRequestMethod of type string.

        }

        $method = $_SERVER['REQUEST_METHOD'];

        // get method from "http method override" header
        if (isset($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
            return $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];
        }

        // add support for HEAD requests, which are GET requests
        if ($method === 'HEAD') {
            $method = 'GET';
        }

        return $method;
    }

    /**
     * Set the REQUEST_METHOD.
     */
    public static function setRequestMethod($method)
    {
        self::$request_method = strtoupper($method);

It seems like strtoupper($method) of type string is incompatible with the declared type object<Koch\Http\The> of property $request_method.

    }

    /**
     * Checks if a ajax(xhr)-request is given,
     * by checking X-Requested-With Header for XMLHttpRequest.
     *
     * @return bool true if the request is an XMLHttpRequest, false otherwise
     */
    public static function isAjax()

isAjax uses the super-global variable $_SERVER which is generally not recommended.

    {
        if (isset($_SERVER['X-Requested-With']) and $_SERVER['X-Requested-With'] === 'XMLHttpRequest') {

Using logical operators such as and instead of && is generally not recommended.

            return true;
        } elseif (isset($_SERVER['HTTP_X_REQUESTED_WITH']) and $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest') {

Using logical operators such as and instead of && is generally not recommended.

            return true;
        } else {
            return false;
        }
    }

    /**
     * is(GET|POST|PUT|DELETE)
     * Boolean "getters" for several HttpRequest Types.
     * This makes request type checking in controllers easy.
     */

    /**
     * Determines, if request is of type GET.
     *
     * @return bool
     */
    public function isGet()
    {
        return self::$request_method === 'GET';
    }

    /**
     * Determines, if request is of type POST.
     *
     * @return bool
     */
    public function isPost()
    {
        return self::$request_method === 'POST';
    }

    /**
     * Determines, if request is of type PUT.
     *
     * @return bool
     */
    public function isPut()
    {
        return self::$request_method === 'PUT';
    }

    /**
     * Determines, if request is of type DELETE.
     *
     * @return bool
     */
    public function isDelete()
    {
        return self::$request_method === 'DELETE';
    }

    /**
     * Implementation of SPL ArrayAccess
     * only offsetExists and offsetGet are relevant.
     */
    public function offsetExists($offset)
    {
        return $this->issetParameter($offset);

The expression $this->issetParameter($offset); of type boolean|string|null adds the type string to the return on line 806 which is incompatible with the return type declared by the interface ArrayAccess::offsetExists of type boolean.

    }

    public function offsetGet($offset)
    {
        return $this->getParameter($offset);
    }

    // not setting request vars
    public function offsetSet($offset, $value)
    {
        return false;
    }

    // not unsetting request vars
    public function offsetUnset($offset)
    {
        return false;
    }
}