Welcome Guest, Not a member yet? Register   Sign In
Is valid this base_url setup??
#1

I had been reading this:
PHP Code:
/*
|--------------------------------------------------------------------------
| Base Site URL
|--------------------------------------------------------------------------
|
| URL to your CodeIgniter root. Typically this will be your base URL,
| WITH a trailing slash:
|
|    http://example.com/
|
| WARNING: You MUST set this value!
|
| If it is not set, then CodeIgniter will try guess the protocol and path
| your installation, but due to security concerns the hostname will be set
| to $_SERVER['SERVER_ADDR'] if available, or localhost otherwise.
| The auto-detection mechanism exists only for convenience during
| development and MUST NOT be used in production!
|
| If you need to allow multiple domains, remember that this file is still
| a PHP script and you can easily do that on your own.
|
*/
$config['base_url'] = ''

And I want to have no problem with security , so on my production application I want to setup correctly the base_url config. With other projects I had done  there was no problem because I only need to use one domain... But now the things changes. I am doing something like a multidomain system... and a thing I am thinking is:


PHP Code:
$config['base_url']    = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,strpos$_SERVER["SERVER_PROTOCOL"],'/'))).'://'.$_SERVER['HTTP_HOST']; 

Could be that correct?? 
Thank you.
Reply
#2

No, DO NOT use unvalidated $_SERVER['HTTP_HOST']!
Reply
#3

I use the following snippet code

PHP Code:
$allowed_domains = array('site1.com''site2.com');
$default_domain  'site1.com';

if (
in_array($_SERVER['HTTP_HOST'], $allowed_domainsTRUE))
{
    
$domain $_SERVER['HTTP_HOST'];
}
else
{
    
$domain $default_domain;
}

if ( ! empty(
$_SERVER['HTTPS']))
{
    
$config['base_url'] = 'https://'.$domain;
}
else
{
    
$config['base_url'] = 'http://'.$domain;

Reply
#4

Any of URL examples doesn't work on CI with you want run controller method by CLI.
Reply
#5

(02-18-2016, 02:42 AM)Narf Wrote: No, DO NOT use unvalidated $_SERVER['HTTP_HOST']!

then why , any link to describe it, thanks
Reply
#6

The $_SERVER['HTTP_HOST'] value is created based on the request headers from the browser, it's easy to manipulate them. The value of $config['base_url'] is used for example in the url helper, form_open function etc. You should not have a situation where some header of the client can change all the url's on you page, or even change the action url of a login form to some external location...

There for you should never ever trust user input blindly and not only validate if it's a valid domainname but in this case you should check if $_SERVER['HTTP_HOST'] is indeed set to a domain you own. I use some similar whitelist approach as Krycek.

http://www.skeletonscribe.net/2013/05/pr...tacks.html
Reply
#7

not sure if this will help -- but instead of setting the base url in the application/config file - you can set it on the main index.php page. scroll down and you will see 'custom config values'. you can then set it like:

PHP Code:
$assign_to_config['base_url'] = 'https://yourwebsite.com/'
Reply




Theme © iAndrew 2016 - Forum software by © MyBB