Does Phalcon sanitize $_SERVER variables?

Question

Does Phalcon sanitize $_SERVER variables?

modz95 Jun '18

Created Jun '18	Last Reply Jun '18	Replies 1	Views 429	Votes 0

modz95 2.9k

Jun '18

I'm looking at the Phalcon\Http\Request class. The methods getPost(), getQuery(), etc. all accept a second argument called $filters that allows me to sanitize user input like this:

$username = $this->request->getPost('username', 'alphanum');

But then the method getServer() doesn't accept a second argument. Does that mean that it internally sanitizes the $_SERVER variables? If not, then I will have to do it manually like this:

$userAgent = $this->request->getServer('HTTP_USER_AGENT');
$userAgent = $this->filter->sanitize($userAgent, 'string');

Dylan Anderson · Answer 1 · 2018-06-26T13:26:30-07:00

This seems pretty easy to check, but my guess would be no - it doesn't do any sanitization. Typically, the contents of $_SERVER aren't sent from the user, so there's nothing to sanitize for malicious input. Of course, your HTTP_USER_AGENT is an example to the contrary.