8

I have a database full of website urls, the primary key is the $_SERVER["HTTP_HOST"] of the website.

When a user navigates to ... lets say www.my-epic-example-url.com, It will connect the the database and use the $_SERVER["HTTP_HOST"] of that websites, then fetches all the data referencing that website!

What I want to know is, how safe is $_SERVER["HTTP_HOST"] ?

Can it be externally modified?

The only reason i ask is because i read an artical a while back ( cant remember where it was ) saying be careful when using $_SERVER because it is unsafe...

Is this true?

AlexMorley-Finch
  • 6,785
  • 15
  • 68
  • 103
  • 2
    possible duplicate of [Which $_SERVER variables are safe?](http://stackoverflow.com/questions/6474783/which-server-variables-are-safe) – mellamokb Apr 27 '12 at 12:31
  • Please don't close this as dupe, it's now a circular reference since I am linking from [Which $_SERVER variables are safe?](http://stackoverflow.com/questions/6474783/which-server-variables-are-safe) to here for a detailed explanation of `HTTP_HOST`. – deceze Apr 27 '12 at 12:59
  • Possible duplicate of [What is the difference between HTTP\_HOST and SERVER\_NAME in PHP?](https://stackoverflow.com/questions/2297403/what-is-the-difference-between-http-host-and-server-name-in-php) –  Apr 09 '18 at 14:17

1 Answers1

19

$_SERVER["HTTP_HOST"] is the HTTP Host header, as sent from the client. That makes this header generally unsafe.

But, if you are in a typical virtual host setup in which the web server decides which script to execute based on VirtualHost configurations, which in turn are triggered by the HTTP Host header, your script should not get executed unless a known, whitelisted value was received in that header.

If the web server does not care about the Host header and executes a certain script for any and all requests, then this value could be absolutely anything.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • You ought to add some of this into your comprehensive answer on the dupe. You don't specifically explain the VirtualHost part there. – Michael Berkowski Apr 27 '12 at 12:52
  • 4
    Done, referred to this answer from the other. :) – deceze Apr 27 '12 at 12:59
  • 1
    Note that they are known ways of bypassing the VirtualHost restriction, like using absolute URI in the HTTP request, this leads to a free-to-play Host header. So the *generally unsafe* is very true. – regilero Sep 05 '14 at 07:55