Can the PHP variable $_SERVER['SERVER_NAME'] be forged or faked? I was planning on using that as a security measure for form posting. I would check to make sure that variable is my site name (www.example.com). I know HTTP_REFERRER can be faked, but I wasn't sure on this one.
Thanks!
Actually $_SERVER['SERVER_NAME'] can be affected by what the client browser sends over... See http://shiflett.org/blog/2006/mar/server-name-versus-http-host for a through investigation on the issue.
By a visitor it can't normally be faked out. But I suspect you would want to enforce a certain SERVER_NAME to license scripts so they can only be used by particular domains. In this case the answer is yes, this variable can definitely be faked.
The reason is simple, the server sets this value. In most cases you would have PHP running as an Apache module, but sometimes you have other Apache modules, sometime you have PHP running in CGI mode with NGINX or IIS, sometimes you even have PHP running as CLI forked as a child process by a custom-built server deployed in a cloud. Those servers would be responsible for setting that variable.
Plus, there's always the manual assignment.
$_SERVER['SERVER_NAME'] = ... // this can go above all your scripts
It can't be faked, persay, but it will always return your site name. It is useful if you are running multiple sites off of the same script and, for example, use a different database depending on the host name provided.
The PHP documentation says:
'SERVER_NAME'
The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.
Related
Apparently $_SERVER['SERVER_NAME'] is set only when executing the php script from the browser.
Is there any way to know the server's name from the command line ?
I tried php_uname("n") as proposed in this discussion PHP Server Name from Command Line. But it doesn't work for me, it returns my username instead of the server's name.
There is no "server" involved when executing a script from the command line. You're just running a program on a machine. That machine isn't per se associated with any domain name. One machine can run multiple web servers which are each responsible for several domains. So $_SERVER['SERVER_NAME'], which comes from the web server's configuration (e.g. Apache's ServerName directive), only makes sense in the context of an incoming HTTP request.
You'll need to manually configure/tell your script what domain it should work on, it can't detect it without context.
well, you need to know that there are some different between SAPI's in PHP, when you are running a PHP script in your web browser, you are using the HTTP Server SAPI ( Apache2 or nginx or whatever ), so the returned data in the $_SERVER variable will depends on the headers that the web server itself will throw to PHP, While in the terminal you are running PHP Under CLI SAPI which is serverless so to speak Unless you are using the built-in php server.
Take a look at the $_SERVER manual page :-
$_SERVER is an array containing information such as headers, paths,
and script locations. The entries in this array are created by the web
server. There is no guarantee that every web server will provide any
of these; servers may omit some, or provide others not listed here.
That said, a large number of these variables are accounted for in the
ยป CGI/1.1 specification, so you should be able to expect those.
which is mean - again - that the data that will $_SERVER variable will hold will depends on the information that the web server will return/throw .
As a workaround you can check if the script is running under the CLI SAPI, and then set some custom values for the $_SERVER variable
Use print_r($_SERVER) to see all the attributes on server variables. Maybe another one will fit your needs.
Cheers!
I have a single code base which I am deploying to multiple servers.
I need to identify which server the code is running on in order to use the correct configuration information for the database and so on.
I initially tried using the DOCUMENT_ROOT and checking for the account name.
if (strpos($_SERVER['DOCUMENT_ROOT'], '/var/www/vhosts/SOMETHING.com/') !== false)
{ //is a specific server }
This works well, however I discovered that when my cron jobs are executed DOCUMENT_ROOT is empty, when initiated from Plesk.
Does a better way exist to identify the server?
I do not wish to have a server specific configuration file because the FTP sync software which ensures all files are the same across all servers does not support excluding some files.
Plus, the servers may be running different control panels and setups, so I wish something as general as possible.
You can pass server name as a command line argument when setting up the cron job.
I found $_SERVER['HOME'] via cron is the same as DOCUMENT_ROOT.
This works the same on plesk and cpanel implementations of cron.
I believe this is better than passing the parameter via the cron command because I would still need to test for it, and also would have to set cron per server, rather that handling this inside the script.
I have no idea about PHP.
I have PHP site hosted on Server A. Now I want to transfer the hosting to another company having Windows hosting on Server B.
Can I just transfer all the contents of WWWROOT folder of Server A to Server B? Will the site work that way? Or I do have to get the source, compile and publish it?
Thanks!
the process is this:
copy the content from server A to B (also db dump)
make sure your site is working on server B correct
set a redirect on server A to server B (usually in .htaccess file)
edit DNS entries to point to server B
wait that DNS changes have been picked up (note: as suggested by Emil you can reduce this time by lowering TTL setting on the DNS entries)
remove content from server A (end hosting)
PHP is not (usually) compiled, you should be able to simply copy the files and directories over and they should at least run. You may have to set up a database and connections to it, change some configuration in the scripts and you may or may not run into incompatibilities between different PHP versions and/or UNIX/Windows problems though, depending on how portable the scripts were written.
you don't need to compile anything. it's enough to copy project directory from one server to another. one thing can cause your project not working on ohter hosting, if there will not be installed some php-extensions that are required for you project.
and of course, if your project uses some databases, they must be created on new server
PHP scripts are source code and are compiled when needed. Simply moving the files is enough. Problems may occur if it is a package that has been isntalled on that server and may have some properties in various files about absolute paths to other files.
Also, issues will occur if the files are talking to a local SQL server or the such.
Many hosting companies offer a free (or sometimes payed) service to copy your website accross including any databases. Ask your hosting company for help.
No need to compile, however you have to make sure that the new server meets all the requirements of your application (e.g. server modules) and that paths are correctly configured. Also under some circumstances the PHP version can matter as well. Only one way to find out!
I know this is a newb question, but I searched the archives and couldn't find an exact answer to this. So when a php script is run and the php interpreter parses the script and finds code that says open a database connection and perform a query, how does this actually happen? What goes on in the background that actually fulfills this request?
The PHP script contacts the MySQL server in the same way you would use the Internet, only with a different protocol (instead of HTTP it uses MySQL's syntax). If you set the server to localhost it doesn't actually have to use the Internet but it still does the same stuff, just offline, in the same way as if you contact your own localhost via your browser. The data returned is sent back to the PHP script.
Like how HTTP uses port 80, MySQL uses port 3306. You could actually contact MySQL yourself outside of PHP technically.
im not sure im 100% correct :/
i think the answer is, when apache is loaded(started) the httpd deamon checks the php.ini file and loads up the various dlls that are set with LoadModule eg "LoadModule ssl_module modules/mod_ssl.so" and all the the dlls from the bin directory "have a look" there's lots of dll for most of the protocols, in this particular case when a mysql statement is passed through the purser libmysql.dll handles the internals.
Is there an easy forwarding/transparent php proxy script that I can host on my web server? These are my conditions:
I'm using free web hosting, so I have pretty much no control over my machine. Otherwise I could use Perl's HTTP::Proxy module. This means no root password. It does run php though.
I already have a server running on port 80. What I mean is I would like to put a php script as index.php on my server that will forward all requests.
I don't want a script like PHProxy or Glype where I go to the site, then enter a URL. I want a server so I can enter proxy.example.com:80 in Firefox's or IE's or whatever's proxy settings and it will forward all requests to the server.
Preferably (though not fatal if not possible) I would like for it to pass on the USER_AGENT environmental variable (That's the browser) instead of setting itself to be the USER_AGENT
I can't start a new Daemon. My server won't allow it.
Is there a script that will do this? If so, which?
No, I'm fairly sure this is not possible on shared hosting. It will fail your condition number 3. This needs support on web server level (e.g. using Apache's mod_proxy)
For this to work, you would have to set up the remote server to be able to deal with proxied requests. No sane web server will offer that possibility.