Delete and recreate variables in the same scope of different functions

Question

Delete and recreate variables in the same scope of different functions

Asked 7 years, 2 months ago

Viewed 50 times

0

I am creating logs for any time my system has an unexpected behavior, where it will not necessarily crash my system, for example an improper access using an unknown token or an attempt to Force, my intention is to use a similar function:

function create_log( $filename, $log ) {
    file_put_contents( 
        $filename.'.log', '[START]'.
        json_encode($_REQUEST).PHP_EOL.
        json_encode($_SESSION).PHP_EOL.
        "Log ".$log.PHP_EOL.'[END]'.PHP_EOL
    , FILE_APPEND );
}

That is, except for information that came in the body of the request, whatever the method, and information from the current session, it turns out that there are some data that would not like to save in this log, kind of customer credit card data, login password in the system and etc... so I’m thinking of a function that removes this information before calling the function create_log and one that recreates that information so as not to slow the flow of my code if that information is still needed.

In an older version I used something similar:

function create_log( $filename, $log ) {
    unset_fields();
    file_put_contents(...);
    reset_fields();
}

function unset_fields(){
    $_SESSION["senha"] = $_REQUEST["senha"];
    unset($_REQUEST["senha"]);
}

function reset_fields(){
    $_REQUEST["senha"] = $_SESSION["senha"];
}

In other words, I used session variables as auxiliary variables, but now I also need to log in information from the client session that is accessing the system, and in order to improve the code, I am trying something like:

$_REQUEST["remover"] = 5;
$_REQUEST["não remover"] = 5;
// variável request antes de remover os campos sensíveis
var_dump($_REQUEST); 
$arr = array("não existe", "remover");
unset_fields($arr);
// aqui viria o file_put_contents
var_dump($_REQUEST);
reset_fields($arr);
// aqui eu necessitava da global $_REQUEST no seu estado inicial
var_dump($_REQUEST);

function unset_fields(array $array){
    foreach($array as $val) {
        if(isset($_REQUEST[$val])){
            ${$val} = $_REQUEST[$val];
            unset($_REQUEST[$val]);
        }
    }
}
function reset_fields(array $array){
    foreach($array as $val) {
        if(isset(${$val})){
            $_REQUEST[$val] = ${$val} ;
        }
    }
}

The code above prints:

array(2) {
  ["remover"]=>
  int(5)
  ["não remover"]=>
  int(5)
}
array(1) {
  ["não remover"]=>
  int(5)
}
array(1) {
  ["não remover"]=>
  int(5)
}

That is, my problem is in the scope of the variable created as auxiliary, it exists only within the function unset_fields and yet if I make it "global" or define myself as constant, I run the risk of the variable conflicting with some other that already exists.

1

I just didn’t get it right why you save the sensitive information in session and you will write it to file the same way. You just went from $_REQUEST for $_SESSION, but both are recorded in the log, right? Besides, wouldn’t it be easier for you to copy the contents of these superglobals to local variables and filter those? So you wouldn’t need to worry about recovering the initial context.

– Woss

2017/08/17 at 22:58

2 answers

1

As commented on the question - and if I understand the problem correctly - you do not need to change the super global variables to generate a file log. Honestly, it doesn’t even seem to make much sense, precisely because it can harm other parts of the application, as you want to avoid. The most practical thing to do would be to copy your values to local variables and manipulate only those places. Something like:

function create_log($filename, $log)
{
    // Copia as superglobais para variáveis locais:
    $request = $_REQUEST;
    $session = $_SESSION;

    // Define quais são as informações sensíveis:
    $filter = ["password", "credit_card"];

    // Filtra as informações sensíveis:
    $request = array_filter($request, function ($key) use ($filter) {
        return !in_array($key, $filter);
    }, ARRAY_FILTER_USE_KEY);

    $session = array_filter($session, function ($key) use ($filter) {
        return !in_array($key, $filter);
    }, ARRAY_FILTER_USE_KEY);

    // Gera a mensagem de log:
    file_put_contents( 
        $filename.'.log', '[START]'.
        json_encode($request).PHP_EOL.
        json_encode($session).PHP_EOL.
        "Log ".$log.PHP_EOL.'[END]'.PHP_EOL
    , FILE_APPEND );
}

See working on Ideone.

Considering an entry as:

$_REQUEST = [
    "username" => "admin",
    "password" => "pass",
    "credit_card" => "000000"
];

$_SESSION = [
    "id" => 1
];

When generating the log, the values of password and credit_card will be filtered because they are on the list of sensitive information.

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.

by william.web • 87 points · Answer 1 · 2017-08-17T22:52:52+00:00

You can do these functions within a class and create the class variable itself $this->XXX or you can also turn into a constant defined in this way define("NOME_DA_CONSTANTE", "VALOR_DESTA_CONSTANTE");