Problems with using $_SERVER
Moderator: General Moderators
Problems with using $_SERVER
as in the subject line, i have a script which currently figures out what URL it sits at by checking some stuff in $_SERVER. ideally i need to be able to get both the server's domain name and the folder where the script file sits so like http://www.domainname1.com/somedir/script.php would be parsed into "www.domainname1.com" and "somedir".
however, some servers i have been goofing with don't have any $_SERVER data members. at this point i'm not clear if this is an OS issue or a security issue.
my question is 2fold:
-what settings/configuration issues determine what (if anyting) resides at $_SERVER?
-how can my script figure out its host domain name and folder without making use of $_SERVER?
however, some servers i have been goofing with don't have any $_SERVER data members. at this point i'm not clear if this is an OS issue or a security issue.
my question is 2fold:
-what settings/configuration issues determine what (if anyting) resides at $_SERVER?
-how can my script figure out its host domain name and folder without making use of $_SERVER?
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact:
Have you run a PHPINFO on your hosts to see exactly what $_SERVER values do exist? I am not aware of any configuration setting within PHP itself that restricts what it can or cannot read.
You can sometimes use the Apache Environment array instead of $_SERVER to get the domain name/folder - but that won't work on IIS (etc).
You can sometimes use the Apache Environment array instead of $_SERVER to get the domain name/folder - but that won't work on IIS (etc).
here's an example of a problem server:
http://www.skinjob.net/tsp/info.php
that link is to this code:
http://www.skinjob.net/tsp/info.php
that link is to this code:
Code: Select all
<?php
phpinfo();
echo"<br>";
print_r($_SERVER);
?>Reg globs on can do terrible things - or nothing at all.SleepyP wrote:this is weird, i could've sworn that this info wasn't available before....
what about Register Globals, what does that do?
Superglobal arrays $_GET, $_POST, $_COOKIE, and $_SESSION receive their member vars from the obvious sources.
With register globals on, any element of these arrays is automatically declared as a var in the global scope. For example, $_POST['name'] would be declared in the global scope as $name.
With register globals off, this doesn't happen. The vars remain "locked up" in their respective arrays.
Reg globs on allows a hacker to declare vars with any name and any value in the global scope. All you have to do is tamper with the query string or forge a form submission or cookie. That isn't necessarily an open door into your scripts - but at the same time it isn't something to ignore.
Suppose, with reg globs on, a hacker injected an $admin var into the global scope of your script. If the normal script doesn't ever refer to a var called $admin in this scope, it just sits there doing nothing. No problem.
Next, suppose you do declare an $admin var in the legitimate code (global scope). Again no problem (probably). Although reg globs has already declared the var with the hacked value, as soon as the parser gets to the line in your script where YOU declare the var, the hacked value is immediately overwritten.
The problem with reg globs on arises when you have undefined vars/indexes in your scripts in the global scope. Reg globs on allows a hacker to set their own values for these vars. Still, it depends on the var and how it is used just how serious a problem that could be: an undefined $row_background_color wouldn't lead to any loss of sleep, but $has_superuser_access might.
Code: Select all
if($has_superuser_access == true)
{
// download all the credit card numbers...
}In summary, turn reg globs off if you can - but if you can't it's not the end of the world. Just be VERY careful not to have any undefined vars/indexes in the global scope.
Incidentally, with object oriented programming, you tend not to have much in the global scope to begin with. One var and two lines of code might be all you need for all http requests to the site:
Code: Select all
<?php
$fc =& new FrontController;
$fc->execute();
?>
Last edited by McGruff on Mon Aug 08, 2005 10:51 pm, edited 1 time in total.
damn, that is a great explanation! thanks man. that clears up that issue, i basically have no issues with reg globs
.
i did a little goofing around, and found that by changing my find_currentdir() function a little i can make it work with Linux servers as well. so now the values i am concerned with are $_SERVER[HTTP_HOST], $_SERVER[PATH_TRANSLATED], and $_SERVER[DOCUMENT_ROOT]. anyone know of a reason why these values would be unavailable?
i did a little goofing around, and found that by changing my find_currentdir() function a little i can make it work with Linux servers as well. so now the values i am concerned with are $_SERVER[HTTP_HOST], $_SERVER[PATH_TRANSLATED], and $_SERVER[DOCUMENT_ROOT]. anyone know of a reason why these values would be unavailable?
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact:
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact: