I am working on a 10 year old PHP website, not running on any framework. Just flat PHP scripts (the old fashioned way, including/requiring other files).
I have been looking for a variable to complete a code I’m writing using the function: get_defined_vars() – and noticed there are tons of variables that are outputted on the page, with user names, passwords and a lot more data like databases credentials etc.
Is there any way a user can get this data printed/echoed/var_dumped/request?
or is this obligated that only I, the one with access to the PHP files – from within the server, to use then however I want and not display them to a user, willingly or unwillingly?
Advertisement
Answer
You should use this function for debugging only. I can not think of any good reason to use it in live code.
Is there any way a user can get this data
printed/echoed/var_dumped/request?
Not without access to your PHP files or some breach.
If I get a lot of sensetive data using ‘get_defined_vars()’ – is this
a security breach? (user names, passwords and a lot more data like databases credentials etc.)
Not necessarily a breach. But maybe easy to intrude if there is a breach somewhere.
I think this old code could need a lot of work if you want to improve security:
- Encrypted Passwords should never be in the public variable scope
- Plain Text passwords should never be anywhere and should not exist in any application – this would be a total fail even in 10 year old code
- Encapsulate your components (user, database) if you have the time for that
- Have save settings within your php.ini and update PHP to the latest version (have fun with fixing 10 year old code for that 😀 ). Here is a nice tutorial for improving PHP security: https://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html