1.2.1054. Safe Phpvariables¶
Mark the safe PHP variables.
PHP superglobals are usually filled with external data that should be filtered. However, some values may be considered safe, as they are under the control of the developer.
$_GET, $_POST, $_FILES, $_REQUEST, $_COOKIES are all considered unsafe. Their level of validation is checked in other analysis.
$_SERVER is partially safe. It is valid for the following values : DOCUMENT_ROOT, REQUEST_TIME, REQUEST_TIME_FLOAT, SCRIPT_NAME, SERVER_ADMIN, _.
<?php
// DOCUMENT_ROOT is a safe variable
echo $_SERVER['DOCUMENT_ROOT'];
// $_SERVER's PHP_SELF MUST be validated before usage
echo $_SERVER['PHP_SELF'];
// $_GET MUST be validated before usage
echo $_GET['_'];
?>
See also Predefined Variables.
1.2.1054.1. Specs¶
Short name |
Php/SafePhpvars |
Rulesets |
|
Exakat since |
2.1.2 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Features |
superglobal, php-variable |
Available in |