Search code examples
phpserver

PHP - are $_GET, $_POST, $_REQUEST, $_COOKIE and other built in request variables safe to show visitors?

Im creating a simple "debugging" page for visitors for them to be able to check the data they just sent to a url. My wondering was which default php variables are safe to show to visitors? I have tried to my best extent to check the php documentation and looked at the content myself to ensure no sensitive information is exposed, but i still feel like someone with experience might know about some gotcha's that i might have not taking into consideration.

My assumptions currently are:

  • $_GET and $_POST and $_REQUEST only holds what the visitors sent us, which would make me believe this is completely safe to show/dump them all the contents of those variables.

  • $_COOKIE, this one i think is the cookies set for that visitor, which they anyway have in their browsers and therefore should be safe to show/dump to them

  • $_SERVER, not safe to show all content, but should be safe to show them specific headers such as $_SERVER["HTTP_MY_SPECIFIC_HEADER"]

  • $_SESSION, should never be shown to visitors if not something specific such as $_SESSION["IsLoggedIn"]...

do you think that these assumptions hold up, or am i leaking sensitive information in some cases and opening myself up for vurnerabilites? I think this will help out alot of new php developers to avoid pitfalls in future, by understanding what is allowed to be showed and what should be keept away from displaying to visitors, thanks!

Solution

  • It depends how you are showing the variables.

    If you are just dumping out the contents of $_GET and $_POST then you need to be careful you do not open yourself up to Cross-Site Scripting (XSS) or the like.

    For example, if I request https://yoursite.com/page?var=<script>alert("U r haXXed");</script>, will it display the text of the script (tags included) or will it make this script a part of your page?

    This might not sound like the biggest issue, but if bring phishing into the equation then it becomes a lot scarier. I can send someone a link to https://yoursite.com/page?var=<script>window.location.href="https://evilsite.com/site/yoursite.com";</script>, which (if the script gets executed) will redirect users of your site to evilsite.com. I can then serve a login page that looks like yours and steal their credentials.