Page 1 of 1

which data from $_SERVER is reliable?

Posted: Mon Jun 12, 2006 4:08 am
by jmut
Ok, I've read a lot of posts/articles discussing that $_SERVER global variable (any variable actually) is not to be trusted or at least some stuff from it (everything that starts with HTTP_ can be spoofed).
So is there a finite list of the indexes we can really rely on. We have to rely on something anyhow.
What about REMOTE_USER, REMOTE_ADDR etc.
Can someone give a list of reliable stuff. Or is this more complicated than I think.
Thank you.

Posted: Mon Jun 12, 2006 5:34 am
by Maugrim_The_Reaper
Assume it all can be contaminated. Harsh, but why take the risk you miss one of them?

Check each variable for correct format, and clean if possible. You didn't mention PHP_SELF which can also be manipulated by a user where the webserver allows url rewriting...

Posted: Mon Jun 12, 2006 1:55 pm
by Christopher
I posted a list I had in these forums somewhere a while back.

Posted: Tue Jun 13, 2006 2:07 am
by jmut
arborint wrote:I posted a list I had in these forums somewhere a while back.
10x
I think I found it
viewtopic.php?t=48398