Page 1 of 1

is $_SERVER['DOCUMENT_ROOT'] safe?

Posted: Wed Aug 16, 2006 9:32 pm
by Luke
Is there anything unsafe about using the $_SERVER['DOCUMENT_ROOT'] to get the root directory? I read on php.net that IIS doesn't always support it, but are there any other potential problems with it? I've become sort of paranoid about $_SERVER variables and I'm not sure if I should be.

Posted: Wed Aug 16, 2006 9:35 pm
by feyd
The web server sets it based on it's own internals, no user input is involved.

Posted: Wed Aug 16, 2006 9:35 pm
by daedalus__
'DOCUMENT_ROOT' doesn't work on my laptop, which is using IIS.

Posted: Wed Aug 16, 2006 9:37 pm
by feyd
Daedalus- wrote:'DOCUMENT_ROOT' doesn't work on my laptop, which is using IIS.
Image 1 second snipe.. oh yeah.

ImageImage

Posted: Thu Aug 17, 2006 12:36 pm
by volka
If the webserver/environment doe not provide a value for document root (or similar) php-cgi sets _SERVER[DOCUMENT_ROOT] to the value of the php.ini parameter doc_root.
cgi_main.c wrote:if (!env_document_root) {
/* ini version of document root */
if (!env_document_root) {
env_document_root = PG(doc_root);
}
php-isapi tries to map / to the real path
php5isapi.c wrote:static_variable_buf[0] = '/';
static_variable_buf[1] = 0;
variable_len = 2;
if (lpECB->ServerSupportFunction(lpECB->ConnID, HSE_REQ_MAP_URL_TO_PATH_EX, static_variable_buf, &variable_len, (LPDWORD) &humi)) {
/* Remove trailing \ */
if (humi.lpszPath[variable_len-2] == '\\') {
humi.lpszPath[variable_len-2] = 0;
}
php_register_variable("DOCUMENT_ROOT", humi.lpszPath, track_vars_array TSRMLS_CC);
}
and I can't find an other attempt to set DOCUMENT_ROOT. So it depends on wether the server supports HSE_REQ_MAP_URL_TO_PATH_EX or not.
http://msdn.microsoft.com/library/en-us/iissdk/html/57125ce7-6a08-491d-8395-135fc1b9655d.asp wrote:HSE_REQ_MAP_URL_TO_PATH_EX
[...]
Requirements
Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.
Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.
Product: IIS