Security: $_SERVER array sql injection in PHP

Question

I have written a PHP function that records everything in the $_SERVER array and if there is a certain $_SERVER variable that doesn't exist in my Database, it will add that column.

My question is this: How secure does this sound to you? After research and understanding of the header information some questions arise.

1. Would a client be able to modify certain variables sent to the server their their browser agent or OS?
2. Would someone who would be hosting a site from their own server be able to insert code into their own custom $_SERVER array?

Overall, I'm just asking exactly how secure this sounds, but those were the first concerns that comes to mind.

If you find anything wrong with the way I asked this question, please comment before you down-vote and I will change it immediately.

Answer 1

$_SERVER can not be trusted. $_SERVER['HTTP_USER_AGENT'] contains a String that is easily user-configurable - SQL Injection possible. There are even browser plugins for that purpose. In fact, there are a lot of $_SERVER vars that can be changed by the user, for example also $_SERVER['HTTP_ACCEPT_LANGUAGE'] .

Have a look at the Chrome plugin ModHeader :

Answer 2

The $_SERVER variable is used by PHP to return information about the server based information, it is not a place to store data. To be honest, it's first time to hear that somebody wants to use $_SERVER superglobal to store data. Maybe you should use $_SESSION ? I think that's the right way for storing data if database is not an option...

Also $_SERVER array seems to refresh each time you reload a page. And what @ByteHamster pointed some of values in $_SERVER variable can be tampered.

The point is that you are trying to use something which is not designed for that purpose...