Security: $_SERVER array sql injection in PHP

Question

I have written a PHP function that records everything in the $_SERVER array and if there is a certain $_SERVER variable that doesn't exist in my Database, it will add that column.

My question is this: How secure does this sound to you? After research and understanding of the header information some questions arise.

1. Would a client be able to modify certain variables sent to the server their their browser agent or OS?
2. Would someone who would be hosting a site from their own server be able to insert code into their own custom $_SERVER array?

Overall, I'm just asking exactly how secure this sounds, but those were the first concerns that comes to mind.

If you find anything wrong with the way I asked this question, please comment before you down-vote and I will change it immediately.

Answer 1

$_SERVER can not be trusted. $_SERVER['HTTP_USER_AGENT'] contains a String that is easily user-configurable - SQL Injection possible. There are even browser plugins for that purpose. In fact, there are a lot of $_SERVER vars that can be changed by the user, for example also $_SERVER['HTTP_ACCEPT_LANGUAGE'].

Have a look at the Chrome plugin ModHeader: