Page 1 of 1
Incorrect $_SERVER['PATH_INFO']
Posted: Mon May 30, 2011 6:34 pm
by Jonah Bron
I've been testing my app on my localhost. The app is located at /foo/bar/bar.php. It relies on $_SERVER['PATH_INFO'] to get further information from the url. It works, but when I uploaded the app to a remote server, the value of PATH_INFO is incorrect. Instead of giving me everything after the file name and before the query (as stated in the manual), it gives everything after the domain (/foo/bar/bar.php). Is this a setting I can change? What could cause this?
Re: Incorrect $_SERVER['PATH_INFO']
Posted: Wed Jun 01, 2011 4:05 pm
by flying_circus
I was just reading something about this in Ilia's book last night, Guide to PHP Security, if you've got it handy, it should be around page 67 or so.
is there a reason you can't use basename(__FILE__)?
$_SERVER['PATH_INFO'] doesnt seem to register on either of my servers. Anyways, I think Ilia had suggested conditioning the value before use, something like:
Code: Select all
<?php
print substr($_SERVER['PATH_INFO'], strpos($_SERVER['PATH_INFO'], basename(__FILE__)));
?>
Edit: I quoted above out of context. The reason for conditioning PHP_SELF, PATH_INFO, and PATH_TRANSLATED was to mitigate Cross Site Scripting
Re: Incorrect $_SERVER['PATH_INFO']
Posted: Fri Jun 03, 2011 5:56 pm
by Jonah Bron
Well, PATH_INFO gives everything after the file name and before the query. So not quite the same thing as basename(__FILE__). I'm using Skeleton Framework, and it turns out it can work around PATH_INFO being missing. The problem was that is was falsely reading from it when it was empty. To fix it, I just did unset($_SERVER['PATH_INFO']);, and it worked. Turns out my localhost doesn't have it either. I would like to know why it's not reliable.
Oh, and sorry, I don't have that book
