Page 1 of 1

Where are my $_SERVER variables?

Posted: Tue Jul 11, 2006 12:15 pm
by rsouthon
Hi,

I've written lots of PHP scripts on a server managed by a 3rd party and now I'm switching to my own server. I installed PHP on Apache Tomcat and it works fine - except that when I ask for $_SERVER variables, they are all blank!

Do I have to set them up in the server? Where? How?

Thanks For Your Help,
RR


ps - i checked pretty much every one and even $_SERVER['PHP_SELF'] doesn't work

Posted: Tue Jul 11, 2006 12:35 pm
by RobertGonzalez
I think this has to do with the server settings. It has been spoken about quite often recently that reliance on Server Variables is at best a shot in the dark. Not only that, but it is insecure as well. You may want to look into alternative ways to achieve what you want out of your server variables.

Re: Where are my $_SERVER variables?

Posted: Tue Jul 11, 2006 1:23 pm
by Oren
rsouthon wrote:ps - i checked pretty much every one and even $_SERVER['PHP_SELF'] doesn't work
Try this:

Code: Select all

<?php
	print_r($_SERVER);
?>
And tell us what you get :wink:

How do I set up the server variables?

Posted: Wed Jul 12, 2006 9:25 am
by rsouthon
I tried Oren's test and got this:

Array ( [argv] => Array ( ) [argc] => 0 )

I assume that means there are no server variables defined? So where and how do I set them?

If they are a true security threat, how should I be defining things like a variable that gives me the current page or the server root? I really don't know how I woulda have built my previous PHP applications with out them! It would have been messy. WHICH variables are a security threat? Maybe I can just set up the ones I want to use instead of all of them?

Thanks your help so far!

Posted: Wed Jul 12, 2006 10:09 am
by RobertGonzalez
Looking arounf the file system section of the manual gives good insight into how a developer would achieve what you want to achieve without the use of server variables. pathinfo(), basename() and dirname() come to mind.

Forget Server Variables

Posted: Mon Jul 17, 2006 4:13 pm
by rsouthon
Everah wrote:Looking arounf the file system section of the manual gives good insight into how a developer would achieve what you want to achieve without the use of server variables. pathinfo(), basename() and dirname() come to mind.
You're right! It seems like I can get most of the info I want out of file system functions. Other than that, I just use my own session variables. Thx!

RR

Posted: Mon Jul 17, 2006 4:15 pm
by jamiel
Your print_r indicates you might be executing the cli version of php rather than the cgi.

Another way to get current page without server var

Posted: Mon Aug 21, 2006 2:52 pm
by rsouthon
This is actually all i needed:
echo $PHP_SELF;

Posted: Mon Aug 21, 2006 2:55 pm
by Luke
PHP_SELF can contain user input, so be careful with it.

Posted: Mon Aug 21, 2006 3:09 pm
by Oren
The Ninja Space Goat wrote:PHP_SELF can contain user input, so be careful with it.
What The Ninja Space Goat was trying to say: Don't use it.

Try this instead:

Code: Select all

$self = basename(__FILE__);

Re: Another way to get current page without server var

Posted: Tue Aug 22, 2006 12:15 am
by RobertGonzalez
rsouthon wrote:This is actually all i needed:
echo $PHP_SELF;
$PHP_SELF also requires register_globals to be on. That is insane.

Do this instead:

Code: Select all

<?php
// If this is in the calling page
$file = basename(__FILE__);

// Or, if calling from outside the file, like an include
$file = basename($_SERVER['SCRIPT_FILENAME']);
?>

Posted: Tue Aug 22, 2006 2:17 am
by matthijs
If you think about it. How many examples of form scripts do use echo PHP SELF? 90% of the scripts on hotscripts? 98% of the scripts in tutorials on how-to-build your own contact form?

Posted: Tue Aug 22, 2006 2:22 am
by Luke
well that is why I tend not to send people to online php tutorials... they tend to toss security and practice out the window.

Posted: Tue Aug 22, 2006 8:39 am
by RobertGonzalez
matthijs wrote:If you think about it. How many examples of form scripts do use echo PHP SELF? 90% of the scripts on hotscripts? 98% of the scripts in tutorials on how-to-build your own contact form?
Popularity != sensibility. Just because all of the lazy developers that submit scripts to Hotscripts use it does not mean that the rest of use less lazy developers should.