4

I read the following comment on PHP doc pages:

"Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input."

An then I saw a topic here on StackOverflow saying that $_SERVER['SERVER_NAME'] is partly server controlled.

Can I trust on this value to get the url of my website? If I can't really trust $_SERVER['SERVER_NAME'], how can I get this value? What are some possible alternatives and their pro and cons?

OBS: PHP 5.3 on Apache, Unix.

Community
  • 1
  • 1
Ramon K.
  • 3,402
  • 3
  • 20
  • 29

2 Answers2

3

I usually hardcode the 'real' url to my website into a site configuration file. I wouldn't rely on what Apache 'says' to tell you your url. Do you have several different vhost or server aliases pointing to the same docroot?

Ray
  • 40,256
  • 21
  • 101
  • 138
  • Actually, I'm also hardcoding it until now. Just wondering if there is a more efficient way. But it's good to know that is a practice. – Ramon K. Sep 07 '12 at 14:17
1

You can enforce this variable's safety by enabling the UseCanonicalName directive inside your Apache configuration, as described there http://www.apacheref.com/ref/http_core/UseCanonicalName.html

Axel Isouard
  • 1,498
  • 1
  • 24
  • 38