Edward Vermillion wrote:
I was under the the impression that the non-'HTTP_*' keys in the $_SERVER array came from the server itself.
All of that data comes from the server, but it's difficult to determine which data can be influenced by information within the HTTP request. In other words, you get it from Apache, but it doesn't always originate there.
I blogged about this a while ago: http://shiflett.org/archive/98 Read the quiz at the very end, then read Geoff Young's comments.
I'm curoius how 'SERVER_NAME' could be manipulated by the client.
Zeev blogged about this: http://ibm.com/developerworks/blogs/dw_blog_comments.jspa?blog=481&entry=75480 Another one that surprises a lot of people is $_SERVER['PHP_SELF']: http://blog.phpdoc.info/archives/13-XSS-Woes.html
Is there anything in the $_SERVER array that *can* be considered safe?
Yes, but I've just adopted the habit of considering $_SERVER entirely tainted. It's too hard to safely distinguish between what's tainted and what's not, so I think it's best to play it safe and trust nothing.
If you read the above blog at IBM, you'll see that Rasmus disputes Zeev's claim, and Zeev has to explain further. Regardless of who is right (Zeev is, in this particular case), if one of the top PHP core developers gets it wrong, then what hope is there for me? If I consider all of $_SERVER to be tainted, I don't have to worry about making such a mistake.
Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
