Home > Backend Development > PHP Tutorial > Which $_SERVER Variables Are Safe to Use in PHP?

Which $_SERVER Variables Are Safe to Use in PHP?

DDD
Release: 2024-11-11 00:55:03
Original
526 people have browsed it

Which $_SERVER Variables Are Safe to Use in PHP?

Identifying Safe $_SERVER Variables

Attackers can exploit variables that users can control, rendering them unsafe or "tainted." This article aims to provide a comprehensive list of $_SERVER variables and their respective safety levels.

Server Controlled

These variables are set by the server and are unaffected by user input:

  • 'GATEWAY_INTERFACE'
  • 'SERVER_ADDR'
  • 'SERVER_SOFTWARE'
  • 'DOCUMENT_ROOT'
  • 'SERVER_ADMIN'
  • 'SERVER_SIGNATURE'

Partly Server Controlled

These variables depend on the client's request but have limited valid values, making them reliable:

  • 'HTTPS'
  • 'REQUEST_TIME'
  • 'REMOTE_ADDR' (Verified by TCP/IP handshake)
  • 'REMOTE_HOST' (Potentially spoofable)
  • 'REMOTE_PORT'
  • 'SERVER_PROTOCOL'
  • 'HTTP_HOST' (If not handled by the server)
  • 'SERVER_NAME'
  • 'SCRIPT_FILENAME'
  • 'SERVER_PORT'
  • 'SCRIPT_NAME'

Entirely Arbitrary User Controlled

These variables are vulnerable to user manipulation:

  • 'argv', 'argc'
  • 'REQUEST_METHOD'
  • 'QUERY_STRING'
  • 'HTTP_ACCEPT'
  • 'HTTP_ACCEPT_CHARSET'
  • 'HTTP_ACCEPT_ENCODING'
  • 'HTTP_ACCEPT_LANGUAGE'
  • 'HTTP_CONNECTION'
  • 'HTTP_REFERER'
  • 'HTTP_USER_AGENT'
  • 'AUTH_TYPE'
  • 'PHP_AUTH_DIGEST'
  • 'PHP_AUTH_USER'
  • 'PHP_AUTH_PW'
  • 'PATH_INFO'
  • 'ORIG_PATH_INFO'
  • 'REQUEST_URI' (May contain tainted data)
  • 'PHP_SELF' (May contain tainted data)
  • 'PATH_TRANSLATED'
  • Any other 'HTTP_' value

Environment Variables

The safety of environment variables depends on their source. They can range from completely server controlled to completely user controlled.

The above is the detailed content of Which $_SERVER Variables Are Safe to Use in PHP?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template