Im creating a simple "debugging" page for visitors for them to be able to check the data they just sent to a url. My wondering was which default php variables are safe to show to visitors? I have tried to my best extent to check the php documentation and looked at the content myself to ensure no sensitive information is exposed, but i still feel like someone with experience might know about some gotcha’s that i might have not taking into consideration.
My assumptions currently are:
-
$_GET and $_POST and $_REQUEST only holds what the visitors sent us, which would make me believe this is completely safe to show/dump them all the contents of those variables.
-
$_COOKIE, this one i think is the cookies set for that visitor, which they anyway have in their browsers and therefore should be safe to show/dump to them
-
$_SERVER, not safe to show all content, but should be safe to show them specific headers such as $_SERVER["HTTP_MY_SPECIFIC_HEADER"]
-
$_SESSION, should never be shown to visitors if not something specific such as $_SESSION["IsLoggedIn"]…
do you think that these assumptions hold up, or am i leaking sensitive information in some cases and opening myself up for vurnerabilites? I think this will help out alot of new php developers to avoid pitfalls in future, by understanding what is allowed to be showed and what should be keept away from displaying to visitors, thanks!
2
Answers
It depends how you are showing the variables.
If you are just dumping out the contents of
$_GET
and$_POST
then you need to be careful you do not open yourself up to Cross-Site Scripting (XSS) or the like.For example, if I request
https://yoursite.com/page?var=<script>alert("U r haXXed");</script>
, will it display the text of the script (tags included) or will it make this script a part of your page?This might not sound like the biggest issue, but if bring phishing into the equation then it becomes a lot scarier. I can send someone a link to
https://yoursite.com/page?var=<script>window.location.href="https://evilsite.com/site/yoursite.com";</script>
, which (if the script gets executed) will redirect users of your site toevilsite.com
. I can then serve a login page that looks like yours and steal their credentials.There’s nothing wrong with getting/reading your data from one of these super global arrays, its really the only way to get the data actually using PHP. You just have to make sure you escape it for whatever you’re using it in by filtering info.
Modifying the contents of the super-global is considered poor practice. As you know these array values are available as globe and you can’t control data modification if you are modifying data anywhere So it’s better to use class with getter and setter to fetch and modify those globe variables always for safe data manipulation.
Hope you get your point 😉