Is it safe to use $ _SERVER ["SCRIPT_NAME"]

Question

Is it safe to use $ _SERVER ["SCRIPT_NAME"]

I don't want to pass GET or POST variables to the script. I want to use the filename and use it to find a product from a PHP script, for example:

......./DELL1500.php ......./COMPAQ1213.php

I have three questions:

Where does PHP get data from $_SERVER["SCRIPT_NAME"]

from server or client browser?
Can anyone think of any security issues when using this?
Could it be incompatible with any old browsers. I'm guessing if it's provided by the server?

+2

php code-injection

Cameronasmith 27 Aug '09 at 15:40

source to share

5 answers

ceejayoz · Answer 1 · 2009-08-27T15:43:52+0000

$_SERVER['SCRIPT_NAME']

is server-side. As a result, there are no browser compatibility issues, and there should be no security issues as this is simply an indication that the server is serving the requested URL (i.e. http://example.com/ and http://example.com /index.php both results in '/index.php'

).

However, having another PHP script for the product strikes me as extremely inefficient in this day and age of cheap, simple database sites.

Morbo · Answer 2 · 2013-09-27T14:04:14+0000

I know this is an old post, but a quick google search for "PHP $ _SERVER security" came up with this post and I couldn't believe what I was seeing.

You must encode and test all inputs no matter how secure you think it is. For example, the server variable HTTP_HOST is read from the headers of the request sent by the client. The "client" can be anything ... not just browsers ... for example, someone wrote a PERL / python script specifically to confuse these headers.

From PHP documentation (again) ...

'HTTP_HOST'

Contents of the Host: header from the current request, if there is one.

There is almost always HTTP_HOST in the client request. This is not the only variable, Apache and PHP do not deactivate / encode these variables for you. You must encode and validate ALWAYS and for ALL inputs, including those "generated by the server".

<?php
$server = array();
foreach($_SERVER as $k => $v)
  $server[urlencode($k)] = urlencode($v);

if(!preg_match("...", "...", $server["X"]))
  exit;

?>

Remember, never assume that logins to your applications are secure. It's not worth being lazy about - just code and test everything, no matter what others think.

mck89 · Answer 3 · 2009-08-27T15:45:11+0000

I think there is no security issue and it is generated on the server so it is independent of the client browser. I think you can use it.

nilamo · Answer 4 · 2009-08-27T15:47:24+0000

PHP.net

$ _ SERVER is an array containing information such as headers, paths and script locations. The entries in this array are generated by the web server. There is no guarantee that every web server will provide any of these; servers may omit some or provide others not listed here.

It should be completely safe to use as it is generated by the server. On a personal note, I always misinform anything super-global, no matter how secure it should be.

Druid · Answer 5 · 2009-08-27T15:47:46+0000

All variables $_SERVER[]

are server specific.
Not.
Not.

Also, take a look at this older Stack Overflow post .

Is it safe to use $ _SERVER ["SCRIPT_NAME"]

More articles: