Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how safe is $_SERVER["HTTP_HOST"]?

Tags:

php

superglobals

I have a database full of website urls, the primary key is the $_SERVER["HTTP_HOST"] of the website.

When a user navigates to ... lets say www.my-epic-example-url.com, It will connect the the database and use the $_SERVER["HTTP_HOST"] of that websites, then fetches all the data referencing that website!

What I want to know is, how safe is $_SERVER["HTTP_HOST"] ?

Can it be externally modified?

The only reason i ask is because i read an artical a while back ( cant remember where it was ) saying be careful when using $_SERVER because it is unsafe...

Is this true?

like image 640
AlexMorley-Finch Avatar asked Apr 27 '12 12:04

AlexMorley-Finch

People also ask

Is $_ server safe?

There are only values that the server controls and values that the user controls and you need to be aware of where a value comes from and hence whether it can be trusted for a certain purpose. $_SERVER['HTTP_FOOBAR'] for example is entirely safe to store in a database, but I most certainly wouldn't eval it.

What is $_ server HTTP_HOST?

$_SERVER['HTTP_HOST'] Returns the Host header from the current request. $_SERVER['HTTP_REFERER'] Returns the complete URL of the current page (not reliable because not all user-agents support it)

Where is HTTP_HOST defined?

It is not always defined. As quoted above, it is only defined if there is a http request. If you are running the php script from CLI (e.g php filename. php) the HTTP_HOST key will not be set.

What is the usage of $_ server [' Server_addr ']?

The $_SERVER['SERVER_ADDR'] returns the IP address (Internet Protocol address) of the host server. Following php code used $_SERVER['SERVER_ADDR'] to display the IP address of the host server.

1 Answers

$_SERVER["HTTP_HOST"] is the HTTP Host header, as sent from the client. That makes this header generally unsafe.

But, if you are in a typical virtual host setup in which the web server decides which script to execute based on VirtualHost configurations, which in turn are triggered by the HTTP Host header, your script should not get executed unless a known, whitelisted value was received in that header.

If the web server does not care about the Host header and executes a certain script for any and all requests, then this value could be absolutely anything.

like image 200
deceze Avatar answered Sep 20 '22 16:09

deceze
Sign in to Comment

Related questions

PHP HTTP Referrer
php variable scope
Mysqli insert_id()
PECL install failed
How can I have default values for options for a WordPress Plugin?
How to merge two arrays by taking over only values from the second array that has the same keys as the first one?
How can I install php_posix php extension in windows?
How to check for variable existence in codeigniter(php)? newb question
PHP MySQL utf 8 encoding
Doctrine 2.1 - error in DateTimeType
Codeigniter 2 restrict controller to command line
Best way to track (direct) file downloads
Returning a random value from array with probability proportional to it's value
How to use the case-sensitive for MySQL password field?
lots of request variable name length errors in suhosin
Fatal Error when using Fixtures with Doctrine 2
Php pushing values to a 2-dimensional array
using an array as the data-source for CGridView
Setting display_errors=0 and log_errors=1 without php.ini
pass crontab a variable and read it from PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!