Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
567 views
in Technique[技术] by (71.8m points)

php - how safe is $_SERVER["HTTP_HOST"]?

I have a database full of website urls, the primary key is the $_SERVER["HTTP_HOST"] of the website.

When a user navigates to ... lets say www.my-epic-example-url.com, It will connect the the database and use the $_SERVER["HTTP_HOST"] of that websites, then fetches all the data referencing that website!

What I want to know is, how safe is $_SERVER["HTTP_HOST"] ?

Can it be externally modified?

The only reason i ask is because i read an artical a while back ( cant remember where it was ) saying be careful when using $_SERVER because it is unsafe...

Is this true?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

$_SERVER["HTTP_HOST"] is the HTTP Host header, as sent from the client. That makes this header generally unsafe.

But, if you are in a typical virtual host setup in which the web server decides which script to execute based on VirtualHost configurations, which in turn are triggered by the HTTP Host header, your script should not get executed unless a known, whitelisted value was received in that header.

If the web server does not care about the Host header and executes a certain script for any and all requests, then this value could be absolutely anything.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...