473,466 Members | 3,167 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Security of PHP Superglobals

41 New Member
Hi everyone,

I have a question regarding vulnerabilities related to PHP superglobals, in particular $_SERVER.

I will have a website on a shared hosting environment, and I am unsure of the risks of using the variables such as $_SERVER['DOCUMENT_ROOT'] for things such as "including" files i.e using the include, or require function.

Are there any know methods to spoof these variables?

I am doing my best to mitigate security risks; however, I do not have technical knowledge in this matter.

any help is appreciated.

thanks
Jun 4 '08 #1
2 1516
Atli
5,058 Recognized Expert Expert
Hi.

Always assume anything that comes from a superglobal is malicious in nature.

When accepting user submitted data, always sanitize and validate.
Simply escaping quotes, replacing HTML special chars and checking for potential SQL injections will go a long way.
Also, make sure to espace any string that is meant to be executed as a part of a shell command.

Avoid relying on values from $_ENV and $_SERVER.
Like in the case of $_SERVER['DOCUMENT_ROOT'].
This value is likely to stay constant, only ever changing if your change servers, or your webroot is altered.
It would be far safer to manually find this value and define it as a constant at the start of your script. That way you can be sure it's value is valid.

Can't think of anything else at the moment, so I'll leave it here :)
Jun 4 '08 #2
clai83
41 New Member
Thanks for the information.

I will take your advice and use a constant instead.
Jun 4 '08 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

5
Superglobals blues
by: Dalibor Karlovic | last post by:
I need to access exaclty one of the superglobals arrays and don't want to use $_REQUEST. Having the name of the form method used on submit in $this->sMethod and the name of the feild submited in...
PHP
14
Database Security Issues
by: Jonathan Lamothe | last post by:
I'm helping someone to create an online database. All is fine and good except for one problem. Here it is: In order to provide connectivity to the database, I've created a file called...
PHP
2
How Referencing Superglobals?
by: xcomm | last post by:
Hi All, <?php $vars= array("_SERVER","_SERVER","_SERVER","_SERVER","_SERVER","_SERVER"); foreach($vars as $var) { if(isset($$var))echo("$var: ${$var}<br>\n"); } ?> php.net:
PHP
2
row level security
by: robert | last post by:
well, talk about timely. i'm tasked to implement a security feature, and would rather do so in the database than the application code. the application is generally Oracle, but sometimes DB2. ...
DB2 Database
116
Security - more complex than I thought
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
Microsoft Access / VBA
4
Error using WS-Security
by: Ashish | last post by:
Hi Guys I am getting the following error while implementing authentication using WS-security. "Microsoft.Web.Services2.Security.SecurityFault: The security token could not be authenticated...
C# / C Sharp
0
Error while executing .NET remoing security dlls
by: prithvi g via .NET 247 | last post by:
Hi I am a newbie to .NET remoting, I am trying to implementauthorization using SSPI example provided by Michael Barnett. Ihave included the required dll(Microsoft.Samples.Security.SSPI.dll...
C# / C Sharp
1
Design Issue: Separating Application Security Model from the Application (Custom or User) Controls
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
ASP.NET
6
$_GET and $_POST superglobals are empty, but shouldn't be
by: chrispclay | last post by:
Hi, i am having problems with using superglobals. I have been trying to use the $_GET and $_POST superglobals but no matter which one i use, it doesn't print out anything. It doesn't print out what i...
PHP
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us