On Fri, Jan 20, 2012 at 10:07 AM, Haluk Karamete <halukkaramete@xxxxxxxxx> wrote: > I marked those I already know as "can", > > $_SERVER['REMOTE_ADDR'] CAN > $_SERVER['HTTP_REFERER'] CAN > $_SERVER['HTTP_USER_AGENT'] CAN > $_SERVER['REQUEST_URI'] CAN ( cause it contains the query string > part and user/hacker can easily change that ) > > Those I'm not too sure are as follows; > > $_SERVER['SERVER_NAME'] > $_SERVER['DOCUMENT_ROOT'] > $_SERVER['SCRIPT_NAME'] > $_SERVER['PHP_SELF'] All of 'em. However, SERVER_NAME, DOCUMENT_ROOT, and SCRIPT_NAME come from the server, so it would have to be whoever controls the server doing the spoofing. PHP_SELF could probably be faked in the code if done creatively. Naturally, no one would try to do this intentionally, but I wonder if something mischievous could be done with this if code was included from an external source. -- Ghodmode http://www.ghodmode.com/blog -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
