Audit required: Presence of debug function found PHP-A1012
Use of
var_dump() to log can be risky if the variable contains sensitive information29 var_dump(Version::php72());
30 var_dump(Version::PHP73());
31
32 var_dump(htmlSpecialChars('<strong>Foo</strong>'));33 }
34}
Use of
var_dump() to log can be risky if the variable contains sensitive information27 var_dump(PHP_73); // invalid: constant doesn't exist
28
29 var_dump(Version::php72());
30 var_dump(Version::PHP73());31
32 var_dump(htmlSpecialChars('<strong>Foo</strong>'));
33 }Use of
var_dump() to log can be risky if the variable contains sensitive information26 var_dump(PHP_74);
27 var_dump(PHP_73); // invalid: constant doesn't exist
28
29 var_dump(Version::php72());30 var_dump(Version::PHP73());
31
32 var_dump(htmlSpecialChars('<strong>Foo</strong>'));Use of
var_dump() to log can be risky if the variable contains sensitive information24 var_dump(php_81()); // invalid: function doesn't exist
25
26 var_dump(PHP_74);
27 var_dump(PHP_73); // invalid: constant doesn't exist28
29 var_dump(Version::php72());
30 var_dump(Version::PHP73());Use of
var_dump() to log can be risky if the variable contains sensitive information23 var_dump(php_80());
24 var_dump(php_81()); // invalid: function doesn't exist
25
26 var_dump(PHP_74);27 var_dump(PHP_73); // invalid: constant doesn't exist
28
29 var_dump(Version::php72());
Description
Debugging functions such as var_dump, print_r or var_export should not be kept in production code. These functions display information about the variable, which can be helpful during development. However, if they contain any sensitive information, the presence of these functions in production code can expose that. Therefore, it is advised to avoid using it in production.
Bad practice
function getUser() {
$query = buildQuery('users', ['*']);
var_dump($query);
}
Recommended
function getUser() {
$query = buildQuery('users', ['*']);
Log::info(print_r($query, true));
}