Home > Backend Development > PHP Tutorial > How Reliable Are $_SERVER Variables in PHP Security?

How Reliable Are $_SERVER Variables in PHP Security?

Barbara Streisand
Release: 2024-11-12 16:03:02
Original
863 people have browsed it

How Reliable Are $_SERVER Variables in PHP Security?

Assessing the Security of $_SERVER Variables

HTTP request headers often contain information that can be controlled by the user. Consequently, many $_SERVER variables can be tainted by malicious input and become a source of attack.

Understanding Controlled Values

Server-controlled variables, such as 'SERVER_ADDR' and 'SERVER_SOFTWARE', are set by the server configuration and are inherently safe.

Partly server-controlled variables depend on the request and have limited valid values, making them reliable. Examples include 'REMOTE_ADDR' and 'REQUEST_TIME'.

Arbitrary User-Controlled Values

In contrast, arbitrary user-controlled values can contain any input sent by the client, including potentially malicious content. Variables such as 'HTTP_USER_AGENT' and 'PHP_SELF' fall into this category.

Assessing Reliability

Determining the reliability of $_SERVER variables depends on the specific usage and server configuration. For instance:

  • 'REMOTE_ADDR' is generally reliable, but can be spoofed in DNS attacks.
  • 'HTTP_HOST' can be considered safe if the server rejects requests with invalid host headers.
  • 'REQUEST_METHOD' is reliable if the server restricts allowed methods.

Categorization of $_SERVER Variables

  • Server controlled:

    • 'GATEWAY_INTERFACE'

    • 'SERVER_ADDR'

    • 'SERVER_SOFTWARE'

    • 'DOCUMENT_ROOT'

    • 'SERVER_ADMIN'

    • 'SERVER_SIGNATURE'


  • Partly server controlled:

    • 'HTTPS'

    • 'REQUEST_TIME'

    • 'REMOTE_ADDR'

    • 'REMOTE_HOST'

    • 'REMOTE_PORT'

    • 'SERVER_PROTOCOL'

    • 'HTTP_HOST'

    • 'SERVER_NAME'

    • 'SCRIPT_FILENAME'

    • 'SERVER_PORT'

    • 'SCRIPT_NAME'


  • Entirely arbitrary user controlled values:

    • 'argv', 'argc'

    • 'REQUEST_METHOD'

    • 'QUERY_STRING'

    • 'HTTP_ACCEPT'

    • 'HTTP_ACCEPT_CHARSET'

    • 'HTTP_ACCEPT_ENCODING'

    • 'HTTP_ACCEPT_LANGUAGE'

    • 'HTTP_CONNECTION'

    • 'HTTP_REFERER'

    • 'HTTP_USER_AGENT'

    • 'AUTH_TYPE'

    • 'PHP_AUTH_DIGEST'

    • 'PHP_AUTH_USER'

    • 'PHP_AUTH_PW'

    • 'PATH_INFO'

    • 'ORIG_PATH_INFO'

    • 'REQUEST_URI'

    • 'PHP_SELF'

    • 'PATH_TRANSLATED'

    • Any other 'HTTP_' value



Consider the context and potential consequences before trusting any $_SERVER variable.

The above is the detailed content of How Reliable Are $_SERVER Variables in PHP Security?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template