2

I'm writing an app using php and have been looking into security issues. I'd like to know how the following code grabs browser information and how it is passed from the browser to the server:

$_SERVER['HTTP_USER_AGENT']
$_SERVER['REMOTE_ADDR']
gethostbyaddr($_SERVER['REMOTE_ADDR'])

Is this information encrypted when it's passed from the client PC to the server? Would it be easy for a hacker to steal this data?

Janey
  • 1,260
  • 3
  • 17
  • 39
  • 1
    $_SERVER variables don't come from the browser; they come from the web ___server___ (Apache, nginx, etc)... if they contain browser information, then it is information that the browser has sent to the webserver in its request headers – Mark Baker May 04 '16 at 08:44
  • This might contain some useful information: http://security.stackexchange.com/questions/32299/is-server-a-safe-source-of-data-in-php – Daan May 04 '16 at 08:47
  • `HTTP_USER_AGENT` is not something you can trust. `REMOTE_ADDR` can also be the IP of the load balancer or proxy server, so you should check for the header `X-Forwarded-For` as well. What security issues are you trying to solve anyway? – Mjh May 04 '16 at 08:57
  • What do you mean by "encrypted"? Who should "steal" such data? – Nico Haase Aug 26 '20 at 07:58

3 Answers3

1

Browser -> Apache -> PHP

Spoofing/Faking $_SERVER variables other than HTTP, is difficult as there are some handshakes between your Apache and Browser so if someone tries to spoof these variables he will not receive any response. For example if someone tries to spoof REMOTE_ADDR, it is probable that the request will not be completed.

On the other hand all the variables that start from HTTP_ are easy to spoof and they are sent to PHP just as received by Apache from the Browser. So for example user can write a Curl script with a custom User Agent (HTTP_USER_AGENT) and you will receive the response as it is.

Ghulam Ali
  • 1,935
  • 14
  • 15
1

$SERVER this super global var is passed from web server instead PHP, but some of them is reference by the HTTP request header, let say with prefix "HTTP" is generated by client (request header), and REMOTE_ADDR is the address on TCP level, not a arbitrary but also no guarantee.

  • HTTP_USER_AGENT is in plain text at header, easy to modify
  • REMOTE_ADDR technically is on TCP level IP address, require some equipment or specific software to fake Server.
Shintiger
  • 116
  • 5
0

Essentially the PHP script gets these variables from the web server. On the manual page, there is a list of the variable names, and their descriptions.

So to answer your question shortly, they are gotten from the Web Server you are using.

If someone was to try to fake an example, like $_SERVER['REMOTE_ADDR'], there is information on how it can be done here, though I've never looked into it.

Hope this helps in some way :)

murchu27
  • 527
  • 2
  • 6
  • 20
Jack Hales
  • 1,574
  • 23
  • 51