$_SERVER
directly can be vulnerable62 </tbody>
63
64 <tr>
65 <td colspan="2"><input type="hidden" name="ip" value="<?php echo $_SERVER['REMOTE_ADDR'] ?>" /><input type="submit" value="Create Ticket" /></td>66 </tr>
67 </table>
68</form>
$_SERVER
directly can be vulnerable1<?php if (!defined('FLUX_ROOT')) exit; ?>
2<h2><?php echo htmlspecialchars(Flux::message('PageNotFoundHeading')) ?></h2>
3<p><?php echo htmlspecialchars(Flux::message('PageNotFoundInfo')) ?></p>
4<p><span class="request"><?php echo $_SERVER['REQUEST_URI'] ?></span></p>
$_SERVER
directly can be vulnerable1<?php if (!defined('FLUX_ROOT')) exit; ?>
2<h2><?php echo htmlspecialchars(Flux::message('MissingViewHeading')) ?></h2>
3<p><?php echo htmlspecialchars(Flux::message('MissingViewModLabel')) ?> <span class="module-name"><?php echo $this->params->get('module') ?></span>, <?php echo htmlspecialchars(Flux::message('MissingViewActLabel')) ?> <span class="module-name"><?php echo $this->params->get('action') ?></span></p>
4<p><?php echo htmlspecialchars(Flux::message('MissingViewReqLabel')) ?> <span class="request"><?php echo $_SERVER['REQUEST_URI'] ?></span></p>5<p><?php echo htmlspecialchars(Flux::message('MissingViewLocLabel')) ?> <span class="fs-path"><?php echo $realViewPath ?></span></p>
$_SERVER
directly can be vulnerable1<?php if (!defined('FLUX_ROOT')) exit; ?>
2<h2><?php echo htmlspecialchars(Flux::message('MissingActionHeading')) ?></h2>
3<p><?php echo htmlspecialchars(Flux::message('MissingActionModLabel')) ?> <span class="module-name"><?php echo $this->params->get('module') ?></span>, <?php echo htmlspecialchars(Flux::message('MissingActionActLabel')) ?> <span class="module-name"><?php echo $this->params->get('action') ?></span></p>
4<p><?php echo htmlspecialchars(Flux::message('MissingActionReqLabel')) ?> <span class="request"><?php echo $_SERVER['REQUEST_URI'] ?></span></p>5<p><?php echo htmlspecialchars(Flux::message('MissingActionLocLabel')) ?> <span class="fs-path"><?php echo $realActionPath ?></span></p>
Logging user-provided values directly can put application vulnerable to multiple attack vectors. Superglobal variables contains values specified by the user, which are considered as tainted and untrusted. Therefore, it is discouraged to pass these variables directly to the logger.
error_log($_POST);
error_log('Message: ' . $_POST['message']);