getting $host from $_SERVER - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28) +--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30) +--- Thread: getting $host from $_SERVER (/showthread.php?tid=86912) |
getting $host from $_SERVER - badger - 02-26-2023 As part of something else, I have a very small site running on a raspberry pi (apache2.4.38, php8.1.15) and normally it works perfectly but sometimes the log file shows a crash on config/constants. I tracked it down to the following: PHP Code: $host = $_SERVER['HTTP_HOST']; PHP Code: if(array_key_exists('HTTP_HOST',$_SERVER)) $host = $_SERVER['HTTP_HOST']; Bill RE: getting $host from $_SERVER - Gary - 02-26-2023 Question: If HTTPS is forced, then why bother about a fallback... or isset($_SERVER['HTTPS']? The automatic redirection can be easily done in Apache, before it even gets to the CI code... this would likely be the easiest and "cleanest" solution in terms of the code and side-stepping the need for band-aids over all the possible holes (?). The other question I would ask is whether $_SERVER[' HTTP_HOST'] is necessary either (particularly on a small Raspberry PI)... and then mostly only because- be it correct or not- many folk don't trust very much of what comes out of $_SERVER. RE: getting $host from $_SERVER - badger - 02-26-2023 you're right. i just saw the entry in the apache log and thought i should eliminate it. problem solved (or at least gone away) Thanks, Bill RE: getting $host from $_SERVER - kenjis - 02-26-2023 Do not use $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] without validation. Attackers may set any value to them. RE: getting $host from $_SERVER - badger - 02-27-2023 (02-26-2023, 07:17 PM)kenjis Wrote: Do not use $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] without validation. thanks, I'm slowly learning |