PHP
This section describes ways to acquire user-supplied input, ways to interact with the user's session, potentially dangerous APIs, and security-relevant configuration options on the PHP platform.
Identifying User-Supplied Data
PHP uses a range of array variables to store user-submitted data, as listed in Table 19.7.
Table 19.7 Variables Used to Acquire User-Supplied Data on the PHP Platform
Variable | Description |
$_GET
$HTTP_GET_VARS |
Contains the parameters submitted in the query string. These are accessed by name. For example, in the following URL:
https://wahh-app.com/search.php?query=foo
the value of the query parameter is accessed using:
$_GET[‘query’] |
$_POST
$HTTP_POST_VARS |
Contains the parameters submitted in the request body. |
$_COOKIE
$HTTP_COOKIE_VARS |
Contains the cookies submitted in the request. |
$_REQUEST |
Contains all the items in the $_GET , $_POST , and $_COOKIE arrays. |
$_FILES
$HTTP_POST_FILES... |