English
English
In PHP, get_defined_constants() is a function that gets all defined constants (including user-defined and PHP system predefined constants) and their corresponding values. This function is very useful when debugging, configuration checking, or developing debugging tools, but if used improperly, it can also cause security risks, especially in scenarios involving sensitive information.
get_defined_constants([bool $categorize = false]): array
This function returns all defined constants in the current script. When the parameter $categorize is set to true , the returned array will be classified by module to facilitate identification of the source of various constants.
For example:
$constants = get_defined_constants();
print_r($constants);
This code outputs all defined constants and their values, including constants such as E_ERROR , PHP_VERSION , and constants defined by the user through define() or const .
Although most system-predefined constants are harmless, user-defined constants may contain sensitive information, such as database credentials, API keys, path information, etc. For example:
define('DB_PASSWORD', 'SuperSecretPassword123');
define('API_KEY', 'sk_live_abc123xyz789');
If the return result of get_defined_constants() is directly output in the debugging tool or logging system and expose it to external users, sensitive information may be leaked. This is especially dangerous when deploying online environments in multi-user environments or debugging tools.
Especially in some debug pages or error handling systems, developers may habitually output global states to analyze problems, such as:
echo '<pre>';
print_r(get_defined_constants());
echo '</pre>';
If such output is not restricted by permissions, an attacker can access the page to obtain constant content containing sensitive data.
Suppose a PHP debugging tool (such as a custom error monitor) is deployed at https://debug.m66.net/debug.php and contains the following code:
if ($_GET['debug'] === '1') {
echo '<pre>';
print_r(get_defined_constants());
echo '</pre>';
}
Once the debug switch is enabled, the page will output all constant information. If some constants contain the following:
define('PAYMENT_GATEWAY_SECRET', 'sk_test_abc123');
define('AWS_SECRET_ACCESS_KEY', 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY');
Attackers can easily read this information, causing serious security consequences.
To prevent sensitive information leakage, it is recommended to follow the following best practices when using get_defined_constants() :
Avoid outputting all constants in production environments . Use this function only in local or trusted development environments.
Classification management of sensitive information . Place the sensitive configuration in a separate configuration file and make sure that the file is not defined as a constant, but is stored in memory as a variable.
Access control . All interfaces containing debugging information must be authenticated and public access is prohibited.
Conditional filter output . Check the constant name before output, for example, excluding constants containing sensitive keywords such as SECRET , KEY , PASSWORD , etc.:
$constants = get_defined_constants();
foreach ($constants as $name => $value) {
if (preg_match('/(SECRET|KEY|PASSWORD)/i', $name)) {
continue;
}
echo "$name => $value\n";
}
Log desensitization . If constant information is written to the log system, be sure to perform desensitization before writing.
get_defined_constants() is a powerful function, but "the greater the ability, the greater the responsibility". Developers must fully consider potential security risks when using it, especially in contexts involving sensitive information. Through good access control, output filtering and environmental isolation, the risks brought about by using this function can be effectively reduced and the overall security of the application can be ensured.
