SERVER['HTTP

 

I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site?

$_SERVER['SERVER_NAME'] is based on your web servers config file (Apache2 in my case), and varies depending on a few directives: (1) VirtualHost, (2) ServerName, (3) UseCanonicalName, etc.

$_SERVER['HTTP_HOST'] is based on the request from the client.

Therefore, it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be $_SERVER['HTTP_HOST'] . Is this assumption correct?

Followup comments:

I guess I got a little paranoid after reading this article and noting that some folks said "they wouldn't trust any of the $_SERVER vars":

  • http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/

  • http://php.net/manual/en/reserved.variables.server.php#89567 (comment: Vladimir Kornea 14-Mar-2009 01:06)

    • Apparently the discussion is mainly about $_SERVER['PHP_SELF'] and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks.

    My conclusion about my original question above is that it is "safe" to use $_SERVER['HTTP_HOST'] for all links on a site without having to worry about XSS attacks, even when used in forms.

    Please correct me if I'm wrong.

    That's probably everyone's first thought. But it's a little bit more difficult. See Chris Shiflett's article SERVER_NAME Versus HTTP_HOST .

    It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME .

    So you either go with that or you check the host name against a white list: 

    $allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
    header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
    exit;
}

    Just an additional note - if the server runs on a port other than 80 (as might be common on a development/intranet machine) then HTTP_HOST contains the port, while SERVER_NAME does not. 

    $_SERVER['HTTP_HOST'] == 'localhost:8080'
$_SERVER['SERVER_NAME'] == 'localhost'

    (At least that's what I've noticed in Apache port-based virtualhosts)

    As Mike has noted below, HTTP_HOST does not contain :443 when running on HTTPS (unless you're running on a non-standard port, which I haven't tested).

    This is a verbose translation of what Symfony uses to get the host name (see the second example for a more literal translation): 

    function getHost() {
    $possibleHostSources = array('HTTP_X_FORWARDED_HOST', 'HTTP_HOST', 'SERVER_NAME', 'SERVER_ADDR');
    $sourceTransformations = array(
        "HTTP_X_FORWARDED_HOST" => function($value) {
            $elements = explode(',', $value);
            return trim(end($elements));
        }
    );
    $host = '';
    foreach ($possibleHostSources as $source)
    {
        if (!empty($host)) break;
        if (empty($_SERVER[$source])) continue;
        $host = $_SERVER[$source];
        if (array_key_exists($source, $sourceTransformations))
        {
            $host = $sourceTransformations[$source]($host);
        } 
    }

    // Remove port number from host
    $host = preg_replace('/:d+$/', '', $host);

    return trim($host);
}

    Outdated:

    This is my translation to bare PHP of a method used in Symfony framework that tries to get the hostname from every way possible in order of best practice: 

    function get_host() {
    if ($host = $_SERVER['HTTP_X_FORWARDED_HOST'])
    {
        $elements = explode(',', $host);

        $host = trim(end($elements));
    }
    else
    {
        if (!$host = $_SERVER['HTTP_HOST'])
        {
            if (!$host = $_SERVER['SERVER_NAME'])
            {
                $host = !empty($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : '';
            }
        }
    }

    // Remove port number from host
    $host = preg_replace('/:d+$/', '', $host);

    return trim($host);
}
    链接地址: http://www.djcxy.com/p/42252.html

    上一篇: 什么是“升级”

    下一篇: SERVER ['HTTP