4
We all know that it is possible to manipulate some information during a request, I never had to use anything like $_SERVER[HTTP_HOST]
, $_SERVER[REQUEST_URI]
or $_SERVER['REMOTE_ADDR']
because I know it has security implications.
However I want to log some errors in my system, and I thought to use these variables to add details in my log if a URL cannot be validated correctly, that is, if it contains characters that do not fit the FILTER_VALIDATE_URL
.
Here is an explanation of how logic works.
if (!filter_var( $url, FILTER_VALIDATE_URL))
{
$detalhes = array (
'HTTP_HOST' => "http://$_SERVER[HTTP_HOST]",
'REQUEST_URI' => "$_SERVER[REQUEST_URI]",
'REMOTE_ADDR' => "$_SERVER[REMOTE_ADDR]"
'HTTP_X_FORWARDED_FOR' => "$_SERVER['HTTP_X_FORWARDED_FOR']"
);
$erro->gerar('20x0010', $detalhes);
}
That string 20x0010
is the internal error code we use in the documentation to describe system errors, each [prefix]x[suffix] represents an error in a certain part of the system and the description respectively.
In this function of gerar()
, the system would check the object config
and determine if the debug is active.
If debug is active, a screen will be displayed to the developer with all the output information, error code description and additional descriptions, which are the variables $_SERVER
, otherwise the user would be redirected to the index. In both cases the errors are logged into a file.
I thought it was important to log this information because the most basic attacks could be logged. However I don’t know if it would be safe to use these variables to add more details to the error log.
Yes, in case the messages are only displayed to the user if the debug is active, which does not happen in production, only in the development part. I’ll read the link you gave me, thanks for the info.
– Renan Cavalieri