Page 1 of 1

Incorrect $_SERVER['PATH_INFO']

Posted: Mon May 30, 2011 6:34 pm
by Jonah Bron
I've been testing my app on my localhost. The app is located at /foo/bar/bar.php. It relies on $_SERVER['PATH_INFO'] to get further information from the url. It works, but when I uploaded the app to a remote server, the value of PATH_INFO is incorrect. Instead of giving me everything after the file name and before the query (as stated in the manual), it gives everything after the domain (/foo/bar/bar.php). Is this a setting I can change? What could cause this?

Re: Incorrect $_SERVER['PATH_INFO']

Posted: Wed Jun 01, 2011 4:05 pm
by flying_circus
I was just reading something about this in Ilia's book last night, Guide to PHP Security, if you've got it handy, it should be around page 67 or so.

is there a reason you can't use basename(__FILE__)?

$_SERVER['PATH_INFO'] doesnt seem to register on either of my servers. Anyways, I think Ilia had suggested conditioning the value before use, something like:

Code: Select all

<?php
  print substr($_SERVER['PATH_INFO'], strpos($_SERVER['PATH_INFO'], basename(__FILE__)));
?>

Edit: I quoted above out of context. The reason for conditioning PHP_SELF, PATH_INFO, and PATH_TRANSLATED was to mitigate Cross Site Scripting

Re: Incorrect $_SERVER['PATH_INFO']

Posted: Fri Jun 03, 2011 5:56 pm
by Jonah Bron
Well, PATH_INFO gives everything after the file name and before the query. So not quite the same thing as basename(__FILE__). I'm using Skeleton Framework, and it turns out it can work around PATH_INFO being missing. The problem was that is was falsely reading from it when it was empty. To fix it, I just did unset($_SERVER['PATH_INFO']);, and it worked. Turns out my localhost doesn't have it either. I would like to know why it's not reliable.

Oh, and sorry, I don't have that book :(