O'Reilly logo

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition by Marcus Pinto, Dafydd Stuttard

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

PHP

This section describes ways to acquire user-supplied input, ways to interact with the user's session, potentially dangerous APIs, and security-relevant configuration options on the PHP platform.

Identifying User-Supplied Data

PHP uses a range of array variables to store user-submitted data, as listed in Table 19-7.

Table 19-7 Variables Used to Acquire User-Supplied Data on the PHP Platform

VARIABLE DESCRIPTION
$_GET

$HTTP_GET_VARS
Contains the parameters submitted in the query string. These are accessed by name. For example, in the following URL:
https://wahh-app.com/search
.php?query=foo

the value of the query parameter is accessed using:

$_GET[‘query’]

$_POST

$HTTP_POST_VARS
Contains the parameters submitted in the request body.
$_COOKIE

$HTTP_COOKIE_VARS
Contains the cookies submitted in the request.
$_REQUEST Contains all the items in the $_GET, $_ POST, and $_COOKIE arrays.
$_FILES

$HTTP_POST_FILES
Contains the fi les uploaded in the request.
$_SERVER[‘REQUEST_METHOD’] Contains the method used in the HTTP request.
$_SERVER[‘QUERY_STRING’] Contains the full query string submitted in the request.
$_SERVER[‘REQUEST_URI’] Contains the full URL contained in the request.
$_SERVER[‘HTTP_ACCEPT’] Contains the contents of the HTTP Accept header.
$_SERVER[‘HTTP_ACCEPT_CHARSET’] Contains the contents of the HTTP Accept-charset header.
$_SERVER[‘HTTP_ACCEPT_ENCODING’] Contains the contents of the HTTP Accept-encoding header.
$_SERVER[‘HTTP_ACCEPT_LANGUAGE’] ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required