Menu
My site relies heavily on $_SERVER['SERVER_ADDR']. Can I trust the data retrieved? There is a possibility of finding an empty string?
965
This is called a "tainted" variable, and is unsafe. When using $_SERVER , many of the variables can be controlled. PHP_SELF , HTTP_USER_AGENT , HTTP_X_FORWARDED_FOR , HTTP_ACCEPT_LANGUAGE and many others are a part of the HTTP request header sent by the client.
Any $_SERVER variable can be spoofed - e.g. curl_setopt( $ch, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "HTTP_X_FORWARDED_FOR: $ip")); So it depends entirely on the context: if the attacker is expecting a response, it will go back to $ip. If they don't care about the response, they can certainly spoof the header.
$_SERVER is a PHP super global variable which holds information about headers, paths, and script locations.
What is $_ server DOCUMENT_ROOT in PHP? $_SERVER['DOCUMENT_ROOT'] returns. The document root directory under which the current script is executing, as defined in the server's configuration file.15-Nov-2012.
From the php reference I quoted some
It seems that it depends on the server hosting PHP (especially apache , IIS ...)
http://php.net/manual/en/reserved.variables.server.php
On Windows IIS 7 you must use $_SERVER['LOCAL_ADDR'] rather than $_SERVER['SERVER_ADDR'] to get the server's IP address.
And another.
Windows running IIS v6 does not include $_SERVER['SERVER_ADDR']
If you need to get the IP addresse, use this instead:
<?php $ipAddress =
gethostbyname($_SERVER['SERVER_NAME']);
?>
From Marc, this might work in a cross-platform situation:
array_key_exists('SERVER_ADDR',$_SERVER) ? $_SERVER['SERVER_ADDR'] : $_SERVER['LOCAL_ADDR'];
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
