Problems with using $_SERVER

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
SleepyP
Forum Newbie
Posts: 14
Joined: Wed Apr 21, 2004 7:30 pm

Problems with using $_SERVER

Post by SleepyP »

as in the subject line, i have a script which currently figures out what URL it sits at by checking some stuff in $_SERVER. ideally i need to be able to get both the server's domain name and the folder where the script file sits so like http://www.domainname1.com/somedir/script.php would be parsed into "www.domainname1.com" and "somedir".
however, some servers i have been goofing with don't have any $_SERVER data members. at this point i'm not clear if this is an OS issue or a security issue.
my question is 2fold:
-what settings/configuration issues determine what (if anyting) resides at $_SERVER?
-how can my script figure out its host domain name and folder without making use of $_SERVER?
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

Have you run a PHPINFO on your hosts to see exactly what $_SERVER values do exist? I am not aware of any configuration setting within PHP itself that restricts what it can or cannot read.

You can sometimes use the Apache Environment array instead of $_SERVER to get the domain name/folder - but that won't work on IIS (etc).
SleepyP
Forum Newbie
Posts: 14
Joined: Wed Apr 21, 2004 7:30 pm

Post by SleepyP »

here's an example of a problem server:
http://www.skinjob.net/tsp/info.php

that link is to this code:

Code: Select all

<?php
phpinfo();

echo"<br>";
print_r($_SERVER);
?>
SleepyP
Forum Newbie
Posts: 14
Joined: Wed Apr 21, 2004 7:30 pm

Post by SleepyP »

this is weird, i could've sworn that this info wasn't available before....
what about Register Globals, what does that do?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

sure looks to me like the $_SERVER vars are there to get the information you want.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

SleepyP wrote:this is weird, i could've sworn that this info wasn't available before....
what about Register Globals, what does that do?
Reg globs on can do terrible things - or nothing at all.

Superglobal arrays $_GET, $_POST, $_COOKIE, and $_SESSION receive their member vars from the obvious sources.

With register globals on, any element of these arrays is automatically declared as a var in the global scope. For example, $_POST['name'] would be declared in the global scope as $name.

With register globals off, this doesn't happen. The vars remain "locked up" in their respective arrays.

Reg globs on allows a hacker to declare vars with any name and any value in the global scope. All you have to do is tamper with the query string or forge a form submission or cookie. That isn't necessarily an open door into your scripts - but at the same time it isn't something to ignore.

Suppose, with reg globs on, a hacker injected an $admin var into the global scope of your script. If the normal script doesn't ever refer to a var called $admin in this scope, it just sits there doing nothing. No problem.

Next, suppose you do declare an $admin var in the legitimate code (global scope). Again no problem (probably). Although reg globs has already declared the var with the hacked value, as soon as the parser gets to the line in your script where YOU declare the var, the hacked value is immediately overwritten.

The problem with reg globs on arises when you have undefined vars/indexes in your scripts in the global scope. Reg globs on allows a hacker to set their own values for these vars. Still, it depends on the var and how it is used just how serious a problem that could be: an undefined $row_background_color wouldn't lead to any loss of sleep, but $has_superuser_access might.

Code: Select all

if($has_superuser_access == true)
{
    // download all the credit card numbers...
}
Thankfully, it's very easy to identify undefined vars/indexes: always develop on your local server with E_ALL error reporting. Fix them as soon as you find them.

In summary, turn reg globs off if you can - but if you can't it's not the end of the world. Just be VERY careful not to have any undefined vars/indexes in the global scope.

Incidentally, with object oriented programming, you tend not to have much in the global scope to begin with. One var and two lines of code might be all you need for all http requests to the site:

Code: Select all

<?php
$fc =& new FrontController;
$fc->execute();
?>
Last edited by McGruff on Mon Aug 08, 2005 10:51 pm, edited 1 time in total.
SleepyP
Forum Newbie
Posts: 14
Joined: Wed Apr 21, 2004 7:30 pm

Post by SleepyP »

damn, that is a great explanation! thanks man. that clears up that issue, i basically have no issues with reg globs :).
i did a little goofing around, and found that by changing my find_currentdir() function a little i can make it work with Linux servers as well. so now the values i am concerned with are $_SERVER[HTTP_HOST], $_SERVER[PATH_TRANSLATED], and $_SERVER[DOCUMENT_ROOT]. anyone know of a reason why these values would be unavailable?
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

Well they should be: $_SERVER['HTTP_HOST'] (note the quote marks) - but even so, this can still be controlled from a web server level, i.e. it might be out of your control. Can you find HTTP_HOST on your phpinfo() dump?
SleepyP
Forum Newbie
Posts: 14
Joined: Wed Apr 21, 2004 7:30 pm

Post by SleepyP »

hehe. the variable calls work without quotes. the information is present on all servers i currently have access to, i just wondered if there was a specific reason why it wouldn't be.
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

They do work without quotes, yes.. but every time you do it, PHP will raise a script Warning because it thinks you're trying to use a constant.

In other words, it's bad practise - learn to quote everything ;)
Post Reply