phpgt/protectedglobal

Protect against accidental use of superglobals.

v1.1.1 2022-09-25 12:04 UTC

README

By default, PHP passes all sensitive user information around in superglobal variables, available for reading and modification in any code, including third party libraries. This directly violates a lot of the benefits of Object Oriented Programming, and can lead to unmaintainable code.

Assuming there are object oriented abstractions to the superglobals set up, this library can be used to replace all superglobals with objects that alert the developer of their protection and encapsulation, with an optional whitelist of superglobals to keep.

Build status Code quality Code coverage Current version PHP.Gt/ProtectedGlobal documentation

There are two functions on the static Protection class:

  1. removeGlobals - pass in an array containing the global arrays you wish to empty. Take an optional whitelist of keys to keep.
  2. overrideInternals - pass in all superglobal arrays to override with the ProtectedGlobal class.

Example usage:

// Before protecting, abstract the globals using an OOP mechanism of choice.
$input = new Input($_GET, $_POST, $_FILES);
// etc...

Protection::removeGlobals([$_ENV, $_SERVER, $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION], ["get" => ["xdebug"]]);
Protection::overrideInternals($_GLOBALS, $_ENV, $_SERVER, $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION);

// Now an exception will be thrown when trying to access a global variable:
$_SESSION["god-object"] = "Value I want to pass around globally";