Skip to content
Advertisement

If I get a lot of sensitive data using ‘get_defined_vars()’ – is this a security breach? Can any user request these variables in any way?

I am working on a 10 year old PHP website, not running on any framework. Just flat PHP scripts (the old fashioned way, including/requiring other files).

I have been looking for a variable to complete a code I’m writing using the function: get_defined_vars() – and noticed there are tons of variables that are outputted on the page, with user names, passwords and a lot more data like databases credentials etc.

Is there any way a user can get this data printed/echoed/var_dumped/request?
or is this obligated that only I, the one with access to the PHP files – from within the server, to use then however I want and not display them to a user, willingly or unwillingly?

Advertisement

Answer

You should use this function for debugging only. I can not think of any good reason to use it in live code.

Is there any way a user can get this data
printed/echoed/var_dumped/request?

Not without access to your PHP files or some breach.

If I get a lot of sensetive data using ‘get_defined_vars()’ – is this
a security breach? (user names, passwords and a lot more data like databases credentials etc.)

Not necessarily a breach. But maybe easy to intrude if there is a breach somewhere.

I think this old code could need a lot of work if you want to improve security:

  • Encrypted Passwords should never be in the public variable scope
  • Plain Text passwords should never be anywhere and should not exist in any application – this would be a total fail even in 10 year old code
  • Encapsulate your components (user, database) if you have the time for that
  • Have save settings within your php.ini and update PHP to the latest version (have fun with fixing 10 year old code for that 😀 ). Here is a nice tutorial for improving PHP security: https://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
User contributions licensed under: CC BY-SA
8 People found this is helpful
Advertisement