Security of PHP Superglobals

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • clai83
    New Member
    • Dec 2007
    • 41
    #1

    Security of PHP Superglobals

    Hi everyone,

    I have a question regarding vulnerabilities related to PHP superglobals, in particular $_SERVER.

    I will have a website on a shared hosting environment, and I am unsure of the risks of using the variables such as $_SERVER['DOCUMENT_ROOT'] for things such as "including" files i.e using the include, or require function.

    Are there any know methods to spoof these variables?

    I am doing my best to mitigate security risks; however, I do not have technical knowledge in this matter.

    any help is appreciated.

    thanks
    Tags: None
    • Atli
      Recognized Expert Expert
      • Nov 2006
      • 5062
      #2
      Hi.

      Always assume anything that comes from a superglobal is malicious in nature.

      When accepting user submitted data, always sanitize and validate.
      Simply escaping quotes, replacing HTML special chars and checking for potential SQL injections will go a long way.
      Also, make sure to espace any string that is meant to be executed as a part of a shell command.

      Avoid relying on values from $_ENV and $_SERVER.
      Like in the case of $_SERVER['DOCUMENT_ROOT'].
      This value is likely to stay constant, only ever changing if your change servers, or your webroot is altered.
      It would be far safer to manually find this value and define it as a constant at the start of your script. That way you can be sure it's value is valid.

      Can't think of anything else at the moment, so I'll leave it here :)

        Comment

        • clai83
          New Member
          • Dec 2007
          • 41
          #3
          Thanks for the information.

          I will take your advice and use a constant instead.

            Comment

            Previous template Next
            Working...