Menu
Can the PHP variable $_SERVER['SERVER_NAME'] be forged or faked? I was planning on using that as a security measure for form posting. I would check to make sure that variable is my site name (www.example.com). I know HTTP_REFERRER can be faked, but I wasn't sure on this one.
Thanks!
253
The above $_SERVER['HTTP_HOST'] can be spoofed by headers in the request thus not being trustworthy.
$_SERVER['SERVER_NAME'] Returns the name of the host server (such as www.w3schools.com) $_SERVER['SERVER_SOFTWARE'] Returns the server identification string (such as Apache/2.2.24)
The HTTP_HOST is obtained from the HTTP request header and this is what the client actually used as "target host" of the request. The SERVER_NAME is defined in server config. Which one to use depends on what you need it for.
PHP: $_SERVER['SERVER_NAME'] States name of the host server. Following php code used $_SERVER['SERVER_NAME'] variable to display name of the host server.
Actually $_SERVER['SERVER_NAME'] can be affected by what the client browser sends over... See http://shiflett.org/blog/2006/mar/server-name-versus-http-host for a through investigation on the issue.
64
By a visitor it can't normally be faked out. But I suspect you would want to enforce a certain SERVER_NAME to license scripts so they can only be used by particular domains. In this case the answer is yes, this variable can definitely be faked.
The reason is simple, the server sets this value. In most cases you would have PHP running as an Apache module, but sometimes you have other Apache modules, sometime you have PHP running in CGI mode with NGINX or IIS, sometimes you even have PHP running as CLI forked as a child process by a custom-built server deployed in a cloud. Those servers would be responsible for setting that variable.
Plus, there's always the manual assignment.
$_SERVER['SERVER_NAME'] = ... // this can go above all your scripts
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
