According to this post: Which $_SERVER variables are safe? and another I've seen, a client seems to be able to set custom $_SERVER variables. For example: $_SERVER['HTTP_EXAMPLE']
How would a client actually set a value to $_SERVER['HTTP_EXAMPLE']?
Asked
Active
Viewed 2.8k times
13
-
No better place to start than reading the manual http://php.net/manual/en/reserved.variables.server.php – Funk Forty Niner May 01 '15 at 14:02
-
3That's an awesome answer Fred, Thanks for your input about reading the manual. – Brént Russęll Jan 10 '17 at 04:47
2 Answers
16
If you have access to the Apache config file, you can do it using mod_env
SetEnv HTTP_EXAMPLE http_example
Then you can access that variable
echo $_SERVER["HTTP_EXAMPLE"]; //outputs http_example
Alex
- 418
- 1
- 5
- 17
-
4I mean from the client side, not the server side. A client who wouldn't have access to apache configuration. – Grumpy May 01 '15 at 13:58
-
-
For nginx (**php-fpm**) you may want to declare this variable through a `fastcgi_param`: https://stackoverflow.com/a/8331663/6225838 – CPHPython Jun 05 '18 at 17:54
7
You can just set the variable in your script if you want
$_SERVER['DOCUMENT_ROOT'] = 'test';
echo $_SERVER['DOCUMENT_ROOT']; // test
What that other article is really referring to spoofed variables such as the REMOTE_ADDR which is reported by the client.
For more info on that check out this post on faking the REMOTE_ADDR. How to fake $_SERVER['REMOTE_ADDR'] variable?
-
1I mean from the client side, not the server side. A client who wouldn't have access to raw PHP code. The other article also lists "any other 'HTTP_' value" under client side set. – Grumpy May 01 '15 at 13:58
-
Updated with a link to a related post. It's kind of an open ended question as there are many potential ways to mess about with things – Asta May 01 '15 at 14:03
-
I guess this `$_SERVER["variable"]` can be used to store a global variable – Hebe Jul 15 '22 at 12:54