2

I do not want to pass GET or POST variables to a script. I want to use the file name and use it to lookup the product from the php script for example:

......./DELL1500.php ......./COMPAQ1213.php

I have three questions:

  1. Where does PHP get the data from $_SERVER["SCRIPT_NAME"] is it from the server or the clients browser?

  2. Can anyone think of any security issues of using this?

  3. Could this in anyway be incompatible with any older browsers. I assume not if its provided by the server?

jww
  • 97,681
  • 90
  • 411
  • 885
  • 9
    ohhhh... *that's* how you spell "maintenance nightmare"... – nickf Aug 27 '09 at 15:46
  • Didn't anyone think that "`$_SERVER`" is assigned by the server.. hence the global variable? – Daryl Gill Apr 22 '13 at 00:43
  • Browsers (and other user agents) can influence some of the contents of $_SERVER (eg. $_SERVER['HTTP_ACCEPT']), so if unsure about a setting, it is better to ask than to assume! – Russ Sep 23 '13 at 13:48

4 Answers4

7

$_SERVER['SCRIPT_NAME'] is server-side. There are no browser compatibility issues as a result, and there shouldn't be security issues as it simply an indication of what the server is serving for the requested URL (i.e. http://example.com/ and http://example.com/index.php would both result in '/index.php').

That said, having a different PHP script per product strikes me as extraordinarily inefficient in this day and age of cheap, simple database-driven sites.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
5

I know this is an old post, but doing a quick search on Google for "PHP $_SERVER security" came up with this post and I could not believe what I am seeing.

You should encode and check all inputs regardless of how much you think it is safe. For instance, the HTTP_HOST server variable is read from the headers of the request sent by the client. The "client" can be anything...not just browsers...for instance a PERL/python script someone wrote specifically to fuzz these headers.

From PHP documentation (again)...

'HTTP_HOST'

Contents of the Host: header from the current request, if there is one.

There is almost always a HTTP_HOST within the client request. This is not the only variable, Apache and PHP do not sanitize/encode these variables for you. You should encode and check ALWAYS and for ALL inputs including those "generated by the server."

<?php
$server = array();
foreach($_SERVER as $k => $v)
  $server[urlencode($k)] = urlencode($v);

if(!preg_match("...", "...", $server["X"]))
  exit;

?>

Remember, never assume that the inputs into your applications are safe. It is not worth being lazy about -- just encode and check everything regardless of what others think.

Community
  • 1
  • 1
Morbo
  • 91
  • 1
  • 2
-1

I think there are no security issues and it is created on the server so it doesn't depend on client browser. I think you can use it.

mck89
  • 18,918
  • 16
  • 89
  • 106
-1

PHP.net

$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here.

It should be completely safe to use, as it is generated by the server. On a personal note, I always sanitize anything from a super global, regardless of how safe it is supposed to be.

nilamo
  • 1,932
  • 13
  • 22