Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

secure php host name information - $_SERVER['HTTP_HOST'] alternative

Tags:

security

php

xss

global

I have a public facing debug script that I would only like to run on certain dev boxes, I was hoping to do this programatically inside this script, by detecting the server ip or name-

So I have a question about the security of $_SERVER and $_SERVER['HTTP_HOST'] in particular.

From this: http://shiflett.org/blog/2006/mar/server-name-versus-http-host blog post I have gathered that this var is pretty insecure, and can't be trusted.

What is the best way to find out from php what box you are currently on?

I thought of using FILE , since that seems to be pretty secure, but I'm not sure I have enough info just from the file path.

I don't necessarily need the server name, even ip would be fine.

thanks in advance.

like image 213
awongh Avatar asked Oct 12 '22 16:10

awongh

2 Answers

The best way? It depends on the level of control you have on your environment. Here are some options:

  1. Set an environmental variable via the webserver to indicate the box.

    if (getenv('env_server') == 'production')

    This is nice, since there's no files that you need to worry about. Just the webserver configuration.

  2. Set a file in a "known" place on the server, and check that (one file for the entire server).

    require('/path/to/environment.php');

    That file should define a constant to determine the environment.

  3. Manually configure each application for the server. This is the easiest to do, since it doesn't require anything on the server side, but it's also the least convenient since you need to manually configure each install...

  4. External IP address used to get to the site:

    $_SERVER['SERVER_ADDR']

    This is nice since it requires no additional configuration on the server side. But it will require you to keep a map of all active IP addresses, and the servers they are bound to (especially since more than 1 IP can point to the same server)...

like image 140
ircmaxell Avatar answered Oct 27 '22 21:10

ircmaxell

The best method is to explicitly define the machine by placing an environment config file on it and checking for it:

if (file_exists('environment.php')) {
    include 'environment.php';
}

This file could contain just the name of the machine you're on, or configuration settings like $debug = 0 or whatever else you want to customize for specific machines.

like image 22
deceze Avatar answered Oct 27 '22 21:10

deceze
Sign in to Comment

Related questions

How could I reduce PHP code with lots of isset checks and repetitive, but variable generation arguments?
how mysql_real_escape_string work
Ratchet Store Connection of User & Send Message Outside of Server Instance
How to disable website for specific time in zend framework?
PHP Exec SCP does not copy the file to the remote server
how to change current-time for unit testing date functions in php
How to setup table prefix in symfony2
can I display parameters value ($_POST, $_GET, $_SESSION, $_SESSION) using twig template engine component
PHP DOMElement is Immutable. = 'No Modification Allowed Error'
Getting PHPUnit Working - Include Path not set correctly?
Destructors and shutdown functions when exiting by Ctrl+C in PHP-CLI [closed]
PHP: How to add leading zeros/zero padding to float via sprintf()?
Sending Javascript Object to PHP via Ajax
Redirect::route with parameter in URL in Laravel 5
SimpleXML Attributes to Array
Choose or generate canonical variant from multiple sentences
Read file contents with Laravel
PHP Rename File name if Exists Append Number to End
view pdf without downloading using dompdf
Check if array value isset and is null

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!