Is there a good alternative to $_SERVER?

I read the following comment on PHP doc pages:

"Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input."

An then I saw a topic here on StackOverflow saying that $_SERVER['SERVER_NAME'] is partly server controlled.

Can I trust on this value to get the url of my website? If I can't really trust $_SERVER['SERVER_NAME'], how can I get this value? What are some possible alternatives and their pro and cons?

OBS: PHP 5.3 on Apache, Unix.

Answers


You can enforce this variable's safety by enabling the UseCanonicalName directive inside your Apache configuration, as described there http://www.apacheref.com/ref/http_core/UseCanonicalName.html


I usually hardcode the 'real' url to my website into a site configuration file. I wouldn't rely on what Apache 'says' to tell you your url. Do you have several different vhost or server aliases pointing to the same docroot?


Need Your Help

Cant find Moles after installation

unit-testing moles pex pex-and-moles microsoft-research

I've installed Pex & moles and was trying to follow the tutorial

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.