Jiew Meng

Web Developer, Computer Science Student

18 Oct 2010

I sometimes want to get the script name, or some other attribute of $_SERVER but am not sure which should I use, so I made this screen capture summarizing what values I get for each attribute of $_SERVER when I request for http://localhost/php/sql-injection.php?var1=2&var3=baz & http://localhost.com/php/sql-injection.php?var1=2&var3=baz HTTP_HOST vs SERVER_NAME via StackOverflow HTTP_HOST is obtained from the HTTP request header … SERVER_NAME is definied in server config … the one is a client-controlled value which may thus not be reliable and the other is a server-controlled value which is more reliable. You however need to ensure that the webserver in question has the SERVER_NAME correctly configured … SERVER_NAME is more reliable, but you’re dependent on the server config You need to set UseCanonicalName directive to on in the <VirtualHost> entry in httpd.conf <VirtualHost *> ServerName example.com UseCanonicalName on </VirtualHost> SCRIPT_NAME vs PHP_SELF via Phly, boy, phly SCRIPT_NAME is defined in the CGI 1.1 specification … However, not all web servers actually implement it, and thus it isn’t necessarily portable … PHP_SELF, on the other hand, is implemented directly by PHP, and as long as you’re programming in PHP, will always be present

Hi-res

I sometimes want to get the script name, or some other attribute of $_SERVER but am not sure which should I use, so I made this screen capture summarizing what values I get for each attribute of $_SERVER when I request for http://localhost/php/sql-injection.php?var1=2&var3=baz & http://localhost.com/php/sql-injection.php?var1=2&var3=baz

HTTP_HOST vs SERVER_NAME

via StackOverflow

HTTP_HOST is obtained from the HTTP request header … SERVER_NAME is definied in server config … the one is a client-controlled value which may thus not be reliable and the other is a server-controlled value which is more reliable. You however need to ensure that the webserver in question has the SERVER_NAME correctly configured … SERVER_NAME is more reliable, but you’re dependent on the server config

You need to set UseCanonicalName directive to on in the <VirtualHost> entry in httpd.conf

 <VirtualHost *>
     ServerName example.com
     UseCanonicalName on
 </VirtualHost>

SCRIPT_NAME vs PHP_SELF

via Phly, boy, phly

SCRIPT_NAME is defined in the CGI 1.1 specification … However, not all web servers actually implement it, and thus it isn’t necessarily portable … PHP_SELF, on the other hand, is implemented directly by PHP, and as long as you’re programming in PHP, will always be present

Search

Loading