Menu
I have written a PHP function that records everything in the $_SERVER array and if there is a certain $_SERVER variable that doesn't exist in my Database, it will add that column.
My question is this: How secure does this sound to you? After research and understanding of the header information some questions arise.
$_SERVER array?Overall, I'm just asking exactly how secure this sounds, but those were the first concerns that comes to mind.
If you find anything wrong with the way I asked this question, please comment before you down-vote and I will change it immediately.
785
$_SERVER can not be trusted. $_SERVER['HTTP_USER_AGENT'] contains a String that is easily user-configurable - SQL Injection possible. There are even browser plugins for that purpose. In fact, there are a lot of $_SERVER vars that can be changed by the user, for example also $_SERVER['HTTP_ACCEPT_LANGUAGE'].
Have a look at the Chrome plugin ModHeader:
66
The $_SERVER variable is used by PHP to return information about the server based information, it is not a place to store data. To be honest, it's first time to hear that somebody wants to use $_SERVER superglobal to store data. Maybe you should use $_SESSION ? I think that's the right way for storing data if database is not an option...
Also $_SERVER array seems to refresh each time you reload a page. And what @ByteHamster pointed some of values in $_SERVER variable can be tampered.
The point is that you are trying to use something which is not designed for that purpose...
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
