Is it safe to use the $ _SERVER variables to log errors?

Question

Is it safe to use the $ _SERVER variables to log errors?

Navigation

#1 by (2 votes)
#2 by (2 votes)

4

We all know that it is possible to manipulate some information during a request, I never had to use anything like $_SERVER[HTTP_HOST] , $_SERVER[REQUEST_URI] or $_SERVER['REMOTE_ADDR'] because I know it has security implications.

But I want to log some errors on my system, and I thought of using those variables to add details in my log if a URL can not be correctly validated, that is, if it contains characters that do not fit in the% / p>

Here's an explanation of how logic works.

if (!filter_var( $url, FILTER_VALIDATE_URL))
{    
    $detalhes = array (
        'HTTP_HOST' => "http://$_SERVER[HTTP_HOST]",
        'REQUEST_URI' => "$_SERVER[REQUEST_URI]",
        'REMOTE_ADDR' => "$_SERVER[REMOTE_ADDR]"
        'HTTP_X_FORWARDED_FOR' => "$_SERVER['HTTP_X_FORWARDED_FOR']"
    );

    $erro->gerar('20x0010', $detalhes);
}

This FILTER_VALIDATE_URL string is the internal error code we use in the documentation to describe system errors, each [prefix] x [suffix] represents an error in a particular part of the system and the description , respectively.

In this function of 20x0010 , the system would check the gerar() object and determine if the debug is active.

If the debug is active, a screen for the developer will be displayed with all output information, error code description and additional descriptions, which are config variables, otherwise the user would be redirected to the index. In both cases errors are logged in a file.

I thought it was important to log this information because the most basic attacks could be logged. But I do not know if it would be safe to use these variables to add more detail to the error log.

php

asked by anonymous 23.11.2015 / 13:44

2 answers

2

The answer to your question can be found in the PHP manual itself specifically: $ _SERVER

I would like to highlight the paragraph:

$ _ SERVER is an array containing information such as headers, paths, and locations of the script. The entries in this array are created by the web server. There is no guarantee that each web server will provide some of these; servers may omit some, or provide others not listed here. That said, a large number of these variables are CGI 1.1 specification, then you should be able to to wait for them.

That said, it is usually safe to access this array , however, and professionally, if you want an always-functional solution regardless of server implementation any of your variables can be replicated.

For example, HTTP_HOST is usually part of the HTTP request. If HTTP_HOST is not set, the client can be one of two things: too old ( HTTP 1.0 does not support HTTP_HOST ) or was a direct request web site.

Many of the variables preceded by " HTTP _ " refer to variables present in the request header and in this case there are functions to obtain this content.

23.11.2015 / 14:26

File There is PHP How to remove Input image border

score 2 · Accepted Answer

$ HTTP_SERVER_VARS contains the same initial information, but is not a superglobal. (Note that $ HTTP_SERVER_VARS and $ _SERVER are different variables and that PHP handles them as such). Also note that long arrays were removed since PHP 5.4.0 only $ HTTP_SERVER_VARS does not exist anymore.

It means that they only contain headers information, paths and location of the scripts, but they are not global variables. The values of this array are provided by the server itself, and on some servers this information can be omitted. If it is to draw error lines, I believe there is no problem, but remembering that the purpose of logs is to log errors in as much detail as possible, without the end user having knowledge of these details, only the owner should be able to read this information because most often contain information relevant to the security of the site. Read this here if you're still at the edges.