Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
A lot of what is in $_SERVER is tainted. Anything beginning with HTTP for a start. If you are using name-based virtual hosts HTTP_HOST is safe because it has already been white-listed by Apache but that's an exception. PHP_SELF is not safe.
$_SERVER should be treated like $_GET, $_POST, and $_COOKIE. It can all be altered by the usre, so you must treat it as though it can be altered by the user.
All the variables are added via ap_add_cgi_vars and ap_add_common_vars in apache.. Thus as soon as you can modify these, you can influence what goes into PHP's $_SERVER
ole wrote:If you are using name-based virtual hosts HTTP_HOST is safe because it has already been white-listed by Apache but that's an exception.
I'm pretty sure that's not the case for the default host, so that exception is worth mentioning.
I treat everything in $_SERVER as input just like anything else, because there are too many edge cases, and because defense in depth never hurt anyone. :-)