search

Home  >  Article  >  Backend Development  >  How Reliable Are $_SERVER Variables in PHP Security?

How Reliable Are $_SERVER Variables in PHP Security?

Barbara Streisand
Barbara StreisandOriginal
2024-11-12 16:03:02809browse

How Reliable Are $_SERVER Variables in PHP Security?

Assessing the Security of $_SERVER Variables

HTTP request headers often contain information that can be controlled by the user. Consequently, many $_SERVER variables can be tainted by malicious input and become a source of attack.

Understanding Controlled Values

Server-controlled variables, such as 'SERVER_ADDR' and 'SERVER_SOFTWARE', are set by the server configuration and are inherently safe.

Partly server-controlled variables depend on the request and have limited valid values, making them reliable. Examples include 'REMOTE_ADDR' and 'REQUEST_TIME'.

Arbitrary User-Controlled Values

In contrast, arbitrary user-controlled values can contain any input sent by the client, including potentially malicious content. Variables such as 'HTTP_USER_AGENT' and 'PHP_SELF' fall into this category.

Assessing Reliability

Determining the reliability of $_SERVER variables depends on the specific usage and server configuration. For instance:

  • 'REMOTE_ADDR' is generally reliable, but can be spoofed in DNS attacks.
  • 'HTTP_HOST' can be considered safe if the server rejects requests with invalid host headers.
  • 'REQUEST_METHOD' is reliable if the server restricts allowed methods.

Categorization of $_SERVER Variables

  • Server controlled:

    • 'GATEWAY_INTERFACE'

    • 'SERVER_ADDR'

    • 'SERVER_SOFTWARE'

    • 'DOCUMENT_ROOT'

    • 'SERVER_ADMIN'

    • 'SERVER_SIGNATURE'


  • Partly server controlled:

    • 'HTTPS'

    • 'REQUEST_TIME'

    • 'REMOTE_ADDR'

    • 'REMOTE_HOST'

    • 'REMOTE_PORT'

    • 'SERVER_PROTOCOL'

    • 'HTTP_HOST'

    • 'SERVER_NAME'

    • 'SCRIPT_FILENAME'

    • 'SERVER_PORT'

    • 'SCRIPT_NAME'


  • Entirely arbitrary user controlled values:

    • 'argv', 'argc'

    • 'REQUEST_METHOD'

    • 'QUERY_STRING'

    • 'HTTP_ACCEPT'

    • 'HTTP_ACCEPT_CHARSET'

    • 'HTTP_ACCEPT_ENCODING'

    • 'HTTP_ACCEPT_LANGUAGE'

    • 'HTTP_CONNECTION'

    • 'HTTP_REFERER'

    • 'HTTP_USER_AGENT'

    • 'AUTH_TYPE'

    • 'PHP_AUTH_DIGEST'

    • 'PHP_AUTH_USER'

    • 'PHP_AUTH_PW'

    • 'PATH_INFO'

    • 'ORIG_PATH_INFO'

    • 'REQUEST_URI'

    • 'PHP_SELF'

    • 'PATH_TRANSLATED'

    • Any other 'HTTP_' value



Consider the context and potential consequences before trusting any $_SERVER variable.

The above is the detailed content of How Reliable Are $_SERVER Variables in PHP Security?. For more information, please follow other related articles on the PHP Chinese website!

php if for include this input ul li https
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:How to Prevent XSS Attacks: Should You Escape HTML Form Input Default Values in PHP?Next article:How to Prevent XSS Attacks: Should You Escape HTML Form Input Default Values in PHP?

Related articles

See more