Level 67
@shankarnewton You knew this response was coming... but... you should not be doing what you're doing... that said, you can unset a PHP variable using unset, go figure.
1 like
Jan 18, 2021
4
Level 1
Securely unsetting variables after form redirect
My question is on security perspective!
I'm collecting highly secured information like card data on a form and doing a form redirection to a gateway page. Is there a way to unset the data before/after the job ?
- php GC does the job, but that's not enough for the security team
- since it's not a cURL and a form redirect, unset() doesn't help, because form will have no payload.
- again, since it's a form redirect, we won't have control over the data once form is redirected.
The payload is prepared on controller and view is called from where form is submitted. I'm looking for a way to securely clear/unset manually the variables/payload prepared on controller after view is called and form is redirected.
Controller:
$data['card_number'] = $request->input('chd');
//Other payload info
return view('form', $data);
View:
<form action ='https://3party.site/resource's>
input type ='text' name ='{{$card-number}}'>
//Other params comes here
</form>
My requirement is to unset the card_number value safely after the form action is done. Although, PHP Garbage collector does the job, security team wants to have better control with assurity that the data would be destroyed.
Background info:
using PHP 7.4 Laravel 7.x
Level 1
I'm sorry but that was not my question! All that I want to know is how to unset when there is a return and redirect to a web page outside the ecosystem!
Once again, I know how unset() works! so question is how to use it
Now Why do I ask:
- We can't use that unset() before the return since that would destroy the payload before going to the target.
- we can't use the unset() after the form redirect since the return would take away the control of the process.
Level 73
Are you talking about unsetting the data in the after the return in your controller?
That is not possible to do since you returned.
You might be able to force a gc to run directly in your view by calling gc_collect_cycles(). Don't know though if it cleans a bit too much.
On the other hand your security team doesn't seem to know their drill so to speak. Regular gc is quite enough to handle this safetly.
Level 122
For the paranoid, instead of unsetting the value, set it to garbage. You can then unset it if you want, but its all overkill.
Please or to participate in this conversation.