We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Does Phalcon sanitize $_SERVER variables?

I'm looking at the Phalcon\Http\Request class. The methods getPost(), getQuery(), etc. all accept a second argument called $filters that allows me to sanitize user input like this:

$username = $this->request->getPost('username', 'alphanum');

But then the method getServer() doesn't accept a second argument. Does that mean that it internally sanitizes the $_SERVER variables? If not, then I will have to do it manually like this:

$userAgent = $this->request->getServer('HTTP_USER_AGENT');
$userAgent = $this->filter->sanitize($userAgent, 'string');

This seems pretty easy to check, but my guess would be no - it doesn't do any sanitization. Typically, the contents of $_SERVER aren't sent from the user, so there's nothing to sanitize for malicious input. Of course, your HTTP_USER_AGENT is an example to the contrary.