CodeIgniter Forums
getting $host from $_SERVER - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: getting $host from $_SERVER (/showthread.php?tid=86912)



getting $host from $_SERVER - badger - 02-26-2023

As part of something else, I have a very small site running on a raspberry pi (apache2.4.38, php8.1.15) and normally it works perfectly but sometimes the log file shows a crash on config/constants. I tracked it down to the following:
PHP Code:
$host $_SERVER['HTTP_HOST'];
   
$http_https = isset($_SERVER['HTTPS']) ? "https://" "http://";
   
$baseURL $http_https $host;
   
define('BASE_URL',$baseURL); 
I have set htaccess to force https. Sometimes when the site is accessed, don't know why, HTTP_HOST is missing from $_SERVER. The HTTPS key is also missing. Maybe in order to make Constants.php bullet-proof it would be good to have a fallback eg
PHP Code:
if(array_key_exists('HTTP_HOST',$_SERVER)) $host $_SERVER['HTTP_HOST'];
   else 
$host=$_SERVER['SERVER_NAME']; 

Bill


RE: getting $host from $_SERVER - Gary - 02-26-2023

Question: If HTTPS is forced, then why bother about a fallback... or isset($_SERVER['HTTPS']?

The automatic redirection can be easily done in Apache, before it even gets to the CI code... this would likely be the easiest and "cleanest" solution in terms of the code and side-stepping the need for band-aids over all the possible holes (?).

The other question I would ask is whether $_SERVER[' HTTP_HOST'] is necessary either (particularly on a small Raspberry PI)... and then mostly only because- be it correct or not- many folk don't trust very much of what comes out of $_SERVER.


RE: getting $host from $_SERVER - badger - 02-26-2023

you're right. i just saw the entry in the apache log and thought i should eliminate it. problem solved (or at least gone away)
Thanks, Bill


RE: getting $host from $_SERVER - kenjis - 02-26-2023

Do not use $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] without validation.
Attackers may set any value to them.


RE: getting $host from $_SERVER - badger - 02-27-2023

(02-26-2023, 07:17 PM)kenjis Wrote: Do not use $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] without validation.
Attackers may set any value to them.

thanks, I'm slowly learning