Predefined Variables

    PHP provides predefined variables that represent external variables, built-in environment variables, and other information about the execution environment, such as the number and values of the arguments passed to the script in the CLI environment.

    Table of Contents

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 16 notes

    up
    29
    New York PHP
    19 years ago
    Warning: $_SERVER['PHP_SELF'] can include arbitrary user input. The documentation should be updated to reflect this.

    The request "http://example.com/info.php/attack%20here" will run /info.php, but in Apache $_SERVER['PHP_SELF'] will equal "/info.php/attack here". This is a feature, but it means that PHP_SELF must be treated as user input.

    The attack string could contain urlencoded HTML and JavaScript (cross-site scripting) or it could contain urlencoded linebreaks (HTTP response-splitting).

    The use of $_SERVER['SCRIPT_NAME'] is recommended instead.
    up
    16
    nathan
    19 years ago
    Also on using IPs to look up country & city, note that what you get might not be entirely accurate. If their ISP is based in a different city or province/state, the IPs may be owned by the head office, and used across several areas.
    You also have rarer situations where they might be SSHed into another server, on the road, at work, at a friend's... It's a nice idea, but as the example code shows, it should only be used to set defaults.
    up
    11
    danvasile at pentest dot ro
    18 years ago
    If you have problems with $_SERVER['HTTPS'], especially if it returns no values at all you should check the results of phpinfo(). It might not be listed at all.
    Here is a solution to check and change, if necessary, to ssl/https that will work in all cases:

    <?php
    if ($_SERVER['SERVER_PORT']!=443) {
    $sslport=443; //whatever your ssl port is
    $url = "https://". $_SERVER['SERVER_NAME'] . ":" . $sslport . $_SERVER['REQUEST_URI'];
    header("Location: $url");
    }
    ?>

    Of course, this should be done before any html tag or php echo/print.
    up
    10
    Joe Marty
    18 years ago
    I think it is very important to note that PHP will automatically replace dots ('.') AND spaces (' ') with underscores ('_') in any incoming POST or GET (or REQUEST) variables.

    This page notes the dot replacement, but not the space replacement:
    http://us2.php.net/manual/en/language.variables.external.php

    The reason is that '.' and ' ' are not valid characters to use in a variable name. This is confusing to many people, because most people use the format $_POST['name'] to access these values. In this case, the name is not used as a variable name but as an array index, in which those characters are valid.

    However, if the register_globals directive is set, these names must be used as variable names. As of now, PHP converts the names for these variables before inserting them into the external variable arrays, unfortunately - rather than leaving them as they are for the arrays and changing the names only for the variables set by register_globals.

    If you want to use:
    <input name="title for page3.php" type="text">

    The value you will get in your POST array, for isntance would be:
    $_POST['title_for_page3_php']
    up
    11
    Nicolae Namolovan
    17 years ago
    SECURITY RISK !

    Never ever trust the values that comes from $_SERVER.

    HTTP_X_FORWARDED, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_FORWARDED, etc.. can be spoofed !

    To get the ip of user, use only $_SERVER['REMOTE_ADDR'], otherwise the 'ip' of user can be easily changed by sending a HTTP_X_* header, so user can escape a ban or spoof a trusted ip.

    Of course this is well know, but I don't see it mentioned in these notes..

    If you use the ip only for tracking (not for any security features like banning or allow access to something by ip), you can also use HTTP_X_FORWARDED to get user's ip what are behind proxy.
    up
    11
    jameslporter at gmail dot com
    19 years ago
    Refer to CanonicalName if you are not getting the ServerName in the $_SERVER[SERVER_NAME] variable....This was a pain to figure out for me...now it works as expected by turning canonical naming on.

    http://www.apacheref.com/ref/http_core/UseCanonicalName.html