Audit required: Presence of debug function found PHP-A1012

Debugging functions such as var_dump, print_r or var_export should not be kept in production code. These functions display information about the variable, which can be helpful during development. However, if they contain any sensitive information, the presence of these functions in production code can expose that. Therefore, it is advised to avoid using it in production.

Bad practice

function getUser() {
    $query = buildQuery('users', ['*']);

    var_dump($query);
}

Recommended

function getUser() {
    $query = buildQuery('users', ['*']);

    Log::info(print_r($query, true));
}

References

• OWASP Top 10:2021 > A09 - Security Logging and Monitoring Failures
• OWASP Top 10:2017 > A10 - Insufficient Logging & Monitoring
• CWE-117: Improper Output Neutralization for Logs
• CWE-223: Omission of Security-relevant Information