Which $_SERVER Variables Are Safe to Use in PHP?

Identifying Safe $_SERVER Variables

Attackers can exploit variables that users can control, rendering them unsafe or "tainted." This article aims to provide a comprehensive list of $_SERVER variables and their respective safety levels.

Server Controlled

These variables are set by the server and are unaffected by user input:

• 'GATEWAY_INTERFACE'
• 'SERVER_ADDR'
• 'SERVER_SOFTWARE'
• 'DOCUMENT_ROOT'
• 'SERVER_ADMIN'
• 'SERVER_SIGNATURE'

Partly Server Controlled

These variables depend on the client's request but have limited valid values, making them reliable:

• 'HTTPS'
• 'REQUEST_TIME'
• 'REMOTE_ADDR' (Verified by TCP/IP handshake)
• 'REMOTE_HOST' (Potentially spoofable)
• 'REMOTE_PORT'
• 'SERVER_PROTOCOL'
• 'HTTP_HOST' (If not handled by the server)
• 'SERVER_NAME'
• 'SCRIPT_FILENAME'
• 'SERVER_PORT'
• 'SCRIPT_NAME'

Entirely Arbitrary User Controlled

These variables are vulnerable to user manipulation:

• 'argv', 'argc'
• 'REQUEST_METHOD'
• 'QUERY_STRING'
• 'HTTP_ACCEPT'
• 'HTTP_ACCEPT_CHARSET'
• 'HTTP_ACCEPT_ENCODING'
• 'HTTP_ACCEPT_LANGUAGE'
• 'HTTP_CONNECTION'
• 'HTTP_REFERER'
• 'HTTP_USER_AGENT'
• 'AUTH_TYPE'
• 'PHP_AUTH_DIGEST'
• 'PHP_AUTH_USER'
• 'PHP_AUTH_PW'
• 'PATH_INFO'
• 'ORIG_PATH_INFO'
• 'REQUEST_URI' (May contain tainted data)
• 'PHP_SELF' (May contain tainted data)
• 'PATH_TRANSLATED'
• Any other 'HTTP_' value

Environment Variables

The safety of environment variables depends on their source. They can range from completely server controlled to completely user controlled.

The above is the detailed content of Which $_SERVER Variables Are Safe to Use in PHP?. For more information, please follow other related articles on the PHP Chinese website!