which data from $_SERVER is reliable?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

which data from $_SERVER is reliable?

Post by jmut »

Ok, I've read a lot of posts/articles discussing that $_SERVER global variable (any variable actually) is not to be trusted or at least some stuff from it (everything that starts with HTTP_ can be spoofed).
So is there a finite list of the indexes we can really rely on. We have to rely on something anyhow.
What about REMOTE_USER, REMOTE_ADDR etc.
Can someone give a list of reliable stuff. Or is this more complicated than I think.
Thank you.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Assume it all can be contaminated. Harsh, but why take the risk you miss one of them?

Check each variable for correct format, and clean if possible. You didn't mention PHP_SELF which can also be manipulated by a user where the webserver allows url rewriting...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I posted a list I had in these forums somewhere a while back.
(#10850)
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

arborint wrote:I posted a list I had in these forums somewhere a while back.
10x
I think I found it
viewtopic.php?t=48398
Post Reply