Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

secure php host name information - $_SERVER['HTTP_HOST'] alternative

I have a public facing debug script that I would only like to run on certain dev boxes, I was hoping to do this programatically inside this script, by detecting the server ip or name-

So I have a question about the security of $_SERVER and $_SERVER['HTTP_HOST'] in particular.

From this: http://shiflett.org/blog/2006/mar/server-name-versus-http-host blog post I have gathered that this var is pretty insecure, and can't be trusted.

What is the best way to find out from php what box you are currently on?

I thought of using FILE , since that seems to be pretty secure, but I'm not sure I have enough info just from the file path.

I don't necessarily need the server name, even ip would be fine.

thanks in advance.

like image 213
awongh Avatar asked Oct 12 '22 16:10

awongh


2 Answers

The best way? It depends on the level of control you have on your environment. Here are some options:

  1. Set an environmental variable via the webserver to indicate the box.

    if (getenv('env_server') == 'production')
    

    This is nice, since there's no files that you need to worry about. Just the webserver configuration.

  2. Set a file in a "known" place on the server, and check that (one file for the entire server).

    require('/path/to/environment.php');
    

    That file should define a constant to determine the environment.

  3. Manually configure each application for the server. This is the easiest to do, since it doesn't require anything on the server side, but it's also the least convenient since you need to manually configure each install...

  4. External IP address used to get to the site:

    $_SERVER['SERVER_ADDR']

    This is nice since it requires no additional configuration on the server side. But it will require you to keep a map of all active IP addresses, and the servers they are bound to (especially since more than 1 IP can point to the same server)...

like image 140
ircmaxell Avatar answered Oct 27 '22 21:10

ircmaxell


The best method is to explicitly define the machine by placing an environment config file on it and checking for it:

if (file_exists('environment.php')) {
    include 'environment.php';
}

This file could contain just the name of the machine you're on, or configuration settings like $debug = 0 or whatever else you want to customize for specific machines.

like image 22
deceze Avatar answered Oct 27 '22 21:10

deceze