3

I have written a PHP function that records everything in the $_SERVER array and if there is a certain $_SERVER variable that doesn't exist in my Database, it will add that column.

My question is this: How secure does this sound to you? After research and understanding of the header information some questions arise.

  1. Would a client be able to modify certain variables sent to the server their their browser agent or OS?
  2. Would someone who would be hosting a site from their own server be able to insert code into their own custom $_SERVER array?

Overall, I'm just asking exactly how secure this sounds, but those were the first concerns that comes to mind.

If you find anything wrong with the way I asked this question, please comment before you down-vote and I will change it immediately.

halfer
  • 19,824
  • 17
  • 99
  • 186
luckybroman5
  • 284
  • 1
  • 8
  • 1
    The webserver determines what is in `$_SERVER`, if you trust your webserver you can trust `$_SERVER`. Why do you want to log everything in `$_SERVER`? Most of it is useless information. – Halcyon Feb 24 '15 at 18:13
  • Just for my own statistics and curiosity. It would be going on hundreds of web servers, some of which I wouldn't know the owner of. – luckybroman5 Feb 24 '15 at 18:17
  • 1
    It sounds like a bad idea. I wouldn't do what you're trying to do. I'd look for a different solution to whatever problem you're trying to solve. – Halfstop Feb 24 '15 at 18:18
  • Im not trying to necessarily solve a problem, I'm just trying to collect information. Are there any specific reasons that you have in mind that would make you think this in unsecure? – luckybroman5 Feb 24 '15 at 18:20

2 Answers2

5

$_SERVER can not be trusted. $_SERVER['HTTP_USER_AGENT'] contains a String that is easily user-configurable - SQL Injection possible. There are even browser plugins for that purpose. In fact, there are a lot of $_SERVER vars that can be changed by the user, for example also $_SERVER['HTTP_ACCEPT_LANGUAGE'].

Have a look at the Chrome plugin ModHeader:

enter image description here

ByteHamster
  • 4,884
  • 9
  • 38
  • 53
  • This answer is exactly what I was looking for! So here is my follow up question: Suppose I use a prepared statement or escape the strings to store the Data in my SQL server, Would I still be vulnerable to Injection? I understand that it would do nothing against data skewing however... – luckybroman5 Feb 25 '15 at 03:45
  • 1
    I am using [prepared statements](http://stackoverflow.com/a/60496/4193263) in my projects. You will not be vulnerable to SQL Injection when using prepared statements, see the answer I linked to for more information. – ByteHamster Feb 25 '15 at 05:27
2

The $_SERVER variable is used by PHP to return information about the server based information, it is not a place to store data. To be honest, it's first time to hear that somebody wants to use $_SERVER superglobal to store data. Maybe you should use $_SESSION ? I think that's the right way for storing data if database is not an option...

Also $_SERVER array seems to refresh each time you reload a page. And what @ByteHamster pointed some of values in $_SERVER variable can be tampered.

The point is that you are trying to use something which is not designed for that purpose...

Whirlwind
  • 14,286
  • 11
  • 68
  • 157
  • I'm not using it to store data, just collect it and store it into a SQL server and later analyze it. Thank you for the answer though! – luckybroman5 Feb 25 '15 at 03:44