Is there a good alternative to $_SERVER?
I read the following comment on PHP doc pages:
"Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input."
An then I saw a topic here on StackOverflow saying that $_SERVER['SERVER_NAME'] is partly server controlled.
Can I trust on this value to get the url of my website? If I can't really trust $_SERVER['SERVER_NAME'], how can I get this value? What are some possible alternatives and their pro and cons?
OBS: PHP 5.3 on Apache, Unix.
You can enforce this variable's safety by enabling the UseCanonicalName directive inside your Apache configuration, as described there http://www.apacheref.com/ref/http_core/UseCanonicalName.html
I usually hardcode the 'real' url to my website into a site configuration file. I wouldn't rely on what Apache 'says' to tell you your url. Do you have several different vhost or server aliases pointing to the same docroot?