Useful Snippets

Welcome!


This blog is used to collect useful snippets related to Linux, PHP, MySQL and more. Feel free to post comments with improvements or questions!

Are your smart devices spying on you? Make better purchasing choices and find products that respect your privacy at Unwanted.cloud

RSS Latest posts from my personal blog


Most viewed posts


Subscribe to RSS feed


Safe and unsafe PHP $_SERVER variables

Stanislav KhromovStanislav Khromov

Taken from an excellent post on Stack Overflow.

Server controlled

These variables are set by the server environment and depend entirely on the server configuration.

'GATEWAY_INTERFACE'
'SERVER_ADDR'
'SERVER_SOFTWARE'
'DOCUMENT_ROOT'
'SERVER_ADMIN'
'SERVER_SIGNATURE'

Partly server controlled

These variables depend on the specific request the client sent, but can only take a limited number of valid values, since all invalid values should be rejected by the web server and not cause the invocation of the script to begin with. Hence they can be considered reliable.

'HTTPS'
'REQUEST_TIME'
'REMOTE_ADDR' *
'REMOTE_HOST' *
'REMOTE_PORT' *
'SERVER_PROTOCOL'
'HTTP_HOST' †
'SERVER_NAME' †
'SCRIPT_FILENAME'
'SERVER_PORT'
'SCRIPT_NAME'

† If your web server responds to any request regardless of HOST header, this should be considered unsafe as well. See How safe is $_SERVER[“HTTP_HOST”]?. Also see http://shiflett.org/blog/2006/mar/server-name-versus-http-host.

Entirely arbitrary user controlled values

These values are not checked at all and do not depend on any server configuration, they are entirely arbitrary information sent by the client.

'argv', 'argc' (only applicable to CLI invocation, not usually a concern for web servers)
'REQUEST_METHOD' ‡
'QUERY_STRING'
'HTTP_ACCEPT'
'HTTP_ACCEPT_CHARSET'
'HTTP_ACCEPT_ENCODING'
'HTTP_ACCEPT_LANGUAGE'
'HTTP_CONNECTION'
'HTTP_REFERER'
'HTTP_USER_AGENT'
'AUTH_TYPE' §
'PHP_AUTH_DIGEST' §
'PHP_AUTH_USER' §
'PHP_AUTH_PW' §
'PATH_INFO'
'ORIG_PATH_INFO'
'REQUEST_URI' (may contain tainted data)
'PHP_SELF' (may contain tainted data)
'PATH_TRANSLATED'
any other 'HTTP_' value

‡ May be considered reliable as long as the web server allows only certain request methods.

§ May be considered reliable if authentication is handled entirely by the web server.

The superglobal $_SERVER also includes several environment variables. Whether these are “safe” or not depend on how (and where) they are defined. They can range from completely server controlled to completely user controlled.

Source

PHP

Web Developer at Aftonbladet (Schibsted Media Group)
Any opinions on this blog are my own and do not reflect the views of my employer.
LinkedIn
Twitter
WordPress.org Profile
Visit my other blog

Comments 0
There are currently no comments.