Is it safe to use $_SERVER variables to log errors?

Asked

Viewed 243 times

4

We all know that it is possible to manipulate some information during a request, I never had to use anything like $_SERVER[HTTP_HOST], $_SERVER[REQUEST_URI] or $_SERVER['REMOTE_ADDR'] because I know it has security implications.

However I want to log some errors in my system, and I thought to use these variables to add details in my log if a URL cannot be validated correctly, that is, if it contains characters that do not fit the FILTER_VALIDATE_URL.

Here is an explanation of how logic works.

if (!filter_var( $url, FILTER_VALIDATE_URL))
{    
    $detalhes = array (
        'HTTP_HOST' => "http://$_SERVER[HTTP_HOST]",
        'REQUEST_URI' => "$_SERVER[REQUEST_URI]",
        'REMOTE_ADDR' => "$_SERVER[REMOTE_ADDR]"
        'HTTP_X_FORWARDED_FOR' => "$_SERVER['HTTP_X_FORWARDED_FOR']"
    );

    $erro->gerar('20x0010', $detalhes);
}

That string 20x0010 is the internal error code we use in the documentation to describe system errors, each [prefix]x[suffix] represents an error in a certain part of the system and the description respectively.

In this function of gerar(), the system would check the object config and determine if the debug is active.

If debug is active, a screen will be displayed to the developer with all the output information, error code description and additional descriptions, which are the variables $_SERVER, otherwise the user would be redirected to the index. In both cases the errors are logged into a file.

I thought it was important to log this information because the most basic attacks could be logged. However I don’t know if it would be safe to use these variables to add more details to the error log.

2 answers

2

The answer to your question can be found in the PHP manual itself specifically at: $_SERVER

I highlight the paragraph:

$_SERVER is an array containing information such as headers, paths, and script paths. Entries in this array are created by web server. There is no guarantee that each web server will provide some of these; servers may omit some, or provide others not listed here. That being said, a large number of these variables are provided by » CGI 1.1 Specification, so you must be skilled to wait for them.

That said to say that it is usually safe to access this array, however and professionally, if you want an always functional solution independent of the server implementation any of its variables can be replicated.

For example the HTTP_HOST is usually part of the HTTP request. If HTTP_HOST is not defined, the client can be one of two things: very old (HTTP 1.0 does not support HTTP_HOST) or was a request made direct to the IP of the website.

Many of the variables preceded by "HTTP_" refer to variables present in the request and in this case there are functions to obtain this content.

2


$HTTP_SERVER_VARS contains the same initial information, but is not a superglobal. (Note that $HTTP_SERVER_VARS and $_SERVER are Different variables and that PHP Handles them as such). Also note that long arrays Were Removed Since PHP 5.4.0 so $HTTP_SERVER_VARS doesn’t exist anymore.

It means that they contain only information about the headers, paths and location of the scripts, but they are not global variables. The values of this array are provided by the server itself, and in some servers this information may be omitted. If it is to trace error lines, I believe there is no problem, but remembering that the purpose of the logs is to record errors with more details possible, without the end user being aware of these details, only the owner should be able to read this information, because most often they contain information relevant to the safety of the site. Read this here if you’re still at the edges.

  • Yes, in case the messages are only displayed to the user if the debug is active, which does not happen in production, only in the development part. I’ll read the link you gave me, thanks for the info.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.