I've seen some posts like this which show that the current website domain is accessible from $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME']. The HTTP_HOST is an HTTP header and thus the user is free to change it. There is no reason to believe it's accurate. The SERVER_NAME doesn't change in my situation, because I use an domain alias that does change the domain but not the SERVER_NAME. What's best to do in this situation?
Asked
Active
Viewed 39 times
0
-
1What is your desired results? Displaying the servername value of the matching virtualhost or what the user thinks the site is? – Brock Hensley Apr 24 '13 at 14:04
-
1What's best to do, to achieve what? – Rawkode Apr 24 '13 at 14:05
-
I want to find the find the value of the matching virtualhost (to determine which language to choose) – Simon Apr 24 '13 at 14:06
2 Answers
1
Although a user is free to change HTTP_HOST, they would hardly reach your site in this case.
Anyway, I see no problem in this ability to change. Okay, even if I set this header to some.bad.bad.words - whom it would harm?
Your Common Sense
- 156,878
- 40
- 214
- 345
-
-
Well, don't process that request at all. What's the problem? – Your Common Sense Apr 24 '13 at 14:23
0
You could trust on your host name. Try with:
$hostname = exec('echo $HOSTNAME');
Lisitso
- 495
- 10
- 14
-
ANY environment variable can have only 2 sources, already mentioned in the question. It can be either "trusted" hardcoded and thus useless value, or user-supplied "untrusted" one. – Your Common Sense Apr 24 '13 at 14:22
-
I guess you're wrong. If the problem is that HTTP_HOST in unreliable, the method that I suggested is ok because point on the local hostname value. This is not alterable by the user request. In my cases, the solution reported worked perfectly. Regards. – Lisitso Apr 24 '13 at 14:38