Page 1 of 1
is $_SERVER['DOCUMENT_ROOT'] safe?
Posted: Wed Aug 16, 2006 9:32 pm
by Luke
Is there anything unsafe about using the $_SERVER['DOCUMENT_ROOT'] to get the root directory? I read on php.net that IIS doesn't always support it, but are there any other potential problems with it? I've become sort of paranoid about $_SERVER variables and I'm not sure if I should be.
Posted: Wed Aug 16, 2006 9:35 pm
by feyd
The web server sets it based on it's own internals, no user input is involved.
Posted: Wed Aug 16, 2006 9:35 pm
by daedalus__
'DOCUMENT_ROOT' doesn't work on my laptop, which is using IIS.
Posted: Wed Aug 16, 2006 9:37 pm
by feyd
Daedalus- wrote:'DOCUMENT_ROOT' doesn't work on my laptop, which is using IIS.

1 second snipe.. oh yeah.


Posted: Thu Aug 17, 2006 12:36 pm
by volka
If the webserver/environment doe not provide a value for document root (or similar) php-cgi sets _SERVER[DOCUMENT_ROOT] to the value of
the php.ini parameter doc_root.
cgi_main.c wrote:if (!env_document_root) {
/* ini version of document root */
if (!env_document_root) {
env_document_root = PG(doc_root);
}
php-isapi tries to map / to the
real pathphp5isapi.c wrote:static_variable_buf[0] = '/';
static_variable_buf[1] = 0;
variable_len = 2;
if (lpECB->ServerSupportFunction(lpECB->ConnID, HSE_REQ_MAP_URL_TO_PATH_EX, static_variable_buf, &variable_len, (LPDWORD) &humi)) {
/* Remove trailing \ */
if (humi.lpszPath[variable_len-2] == '\\') {
humi.lpszPath[variable_len-2] = 0;
}
php_register_variable("DOCUMENT_ROOT", humi.lpszPath, track_vars_array TSRMLS_CC);
}
and I can't find an other attempt to set DOCUMENT_ROOT. So it depends on wether the server supports HSE_REQ_MAP_URL_TO_PATH_EX or not.