I have written a PHP function that records everything in the $_SERVER
array and if there is a certain $_SERVER
variable that doesn't exist in my Database, it will add that column.
My question is this: How secure does this sound to you? After research and understanding of the header information some questions arise.
$_SERVER
array? Overall, I'm just asking exactly how secure this sounds, but those were the first concerns that comes to mind.
If you find anything wrong with the way I asked this question, please comment before you down-vote and I will change it immediately.
$_SERVER
can not be trusted. $_SERVER['HTTP_USER_AGENT']
contains a String that is easily user-configurable - SQL Injection possible. There are even browser plugins for that purpose. In fact, there are a lot of $_SERVER
vars that can be changed by the user, for example also $_SERVER['HTTP_ACCEPT_LANGUAGE']
.
Have a look at the Chrome plugin ModHeader :
The $_SERVER variable is used by PHP to return information about the server based information, it is not a place to store data. To be honest, it's first time to hear that somebody wants to use $_SERVER superglobal to store data. Maybe you should use $_SESSION ? I think that's the right way for storing data if database is not an option...
Also $_SERVER array seems to refresh each time you reload a page. And what @ByteHamster pointed some of values in $_SERVER variable can be tampered.
The point is that you are trying to use something which is not designed for that purpose...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.