-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathphp.yml
More file actions
34 lines (34 loc) · 766 Bytes
/
php.yml
File metadata and controls
34 lines (34 loc) · 766 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# PHP: sources = user-manipulable (parser normalizes without $ → _POST, _GET, etc.)
sources:
# Query string
- "_GET"
# POST body / form / JSON
- "_POST"
# GET + POST + COOKIE combined
- "_REQUEST"
# Cookies (user sends them)
- "_COOKIE"
# Server/env: HTTP_* headers (HTTP_HOST, HTTP_USER_AGENT, HTTP_REFERER, HTTP_X_*, etc.)
- "_SERVER"
# Environment variables
- "_ENV"
# File uploads (user-controlled filename + content)
- "_FILES"
# Session (often user-origin data)
- "_SESSION"
# Global scope
- "GLOBALS"
sinks:
- "exec"
- "shell_exec"
- "system"
- "passthru"
- "eval"
- "popen"
- "proc_open"
sanitizers:
- "htmlspecialchars"
- "htmlentities"
- "mysqli_real_escape_string"
- "strip_tags"
- "sanitize"