Do not use $_REQUEST
ID |
php.no_use_request |
Severity |
high |
Resource |
Risky Values |
Language |
Php |
Tags |
CWE:749, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.6 |
Description
This rule identifies instances where user input from $_REQUEST is used in file inclusion or execution functions, leading to potential Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerabilities. Such vulnerabilities can allow attackers to execute arbitrary code or read sensitive files on the server.
Rationale
PHP’s $_REQUEST superglobal merges $_GET, $_POST, and $_COOKIE, making it a dangerous source for direct file inclusion. If improperly sanitized, attackers can manipulate it to include external or unintended local files, leading to security breaches.
Example of an insecure implementation:
<?php
// Insecure: Using $_REQUEST to include a file
include($_REQUEST['page']);
?>If an attacker sends a request like http://example.com/vulnerable.php?page=../../../../etc/passwd, the server could expose sensitive system files. If allow_url_include is enabled, an attacker could even load a remote malicious script.
Hardcoding sensitive information in PHP code, particularly through the $_REQUEST superglobal, can expose secrets to unauthorized users. The $_REQUEST variable merges $_GET, $_POST, and $_COOKIE data, making it an unreliable and insecure source for handling credentials or configuration data.
For example:
<?php
// Hardcoded secret within code
$db_password = $_REQUEST['db_password'];
$conn = new PDO("mysql:host=localhost;dbname=mydb", "user", $db_password);
?>In this case, the database password is sourced directly from user input, making it susceptible to manipulation. An attacker could pass a specially crafted request that injects arbitrary credentials or exploits weaknesses in the authentication system.
Remediation
To prevent LFI/RFI vulnerabilities:
-
Avoid Direct Use of
$_REQUESTfor File Inclusion – Use predefined file paths instead. -
Use Whitelisting – Only allow expected filenames.
-
Disable Remote File Inclusion – Set
allow_url_include=Offinphp.ini. -
Sanitize Input – Use
basename()to prevent directory traversal.
Secure example:
<?php
// Secure: Using a whitelist approach
$allowed_pages = ['home.php', 'about.php', 'contact.php'];
$page = $_GET['page'] ?? 'home.php';
if (in_array($page, $allowed_pages, true)) {
include($page);
} else {
echo "Invalid page requested.";
}
?>By explicitly defining allowed files and validating input, the risk of LFI/RFI is mitigated, ensuring only intended files are included.
To mitigate the second issue, avoid relying on $_REQUEST or any user-supplied data for security-sensitive values. Instead, use secure methods for managing credentials, such as:
-
Environment Variables – Store secrets securely outside the codebase.
-
Configuration Files with Proper Access Controls – Use separate config files that are not exposed in public repositories.
-
Secret Management Tools – Utilize tools like AWS Secrets Manager, HashiCorp Vault, or similar solutions.
Example of using environment variables:
<?php
// Securely fetching the database password from an environment variable
$db_password = getenv('DB_PASSWORD');
$conn = new PDO("mysql:host=localhost;dbname=mydb", "user", $db_password);
?>By retrieving credentials from environment variables, developers eliminate the risk of exposing sensitive information in the source code. Always ensure that environment variables are properly secured on the hosting platform to prevent unauthorized access.
References
-
OWASP Top 10 2021 - A03 : Injection - A03 : Cryptographic_Failures.