Welcome Guest, Not a member yet? Register   Sign In
getting $host from $_SERVER
#1

As part of something else, I have a very small site running on a raspberry pi (apache2.4.38, php8.1.15) and normally it works perfectly but sometimes the log file shows a crash on config/constants. I tracked it down to the following:
PHP Code:
$host $_SERVER['HTTP_HOST'];
   
$http_https = isset($_SERVER['HTTPS']) ? "https://" "http://";
   
$baseURL $http_https $host;
   
define('BASE_URL',$baseURL); 
I have set htaccess to force https. Sometimes when the site is accessed, don't know why, HTTP_HOST is missing from $_SERVER. The HTTPS key is also missing. Maybe in order to make Constants.php bullet-proof it would be good to have a fallback eg
PHP Code:
if(array_key_exists('HTTP_HOST',$_SERVER)) $host $_SERVER['HTTP_HOST'];
   else 
$host=$_SERVER['SERVER_NAME']; 

Bill
Reply
#2

(This post was last modified: 02-26-2023, 11:04 AM by Gary.)

Question: If HTTPS is forced, then why bother about a fallback... or isset($_SERVER['HTTPS']?

The automatic redirection can be easily done in Apache, before it even gets to the CI code... this would likely be the easiest and "cleanest" solution in terms of the code and side-stepping the need for band-aids over all the possible holes (?).

The other question I would ask is whether $_SERVER[' HTTP_HOST'] is necessary either (particularly on a small Raspberry PI)... and then mostly only because- be it correct or not- many folk don't trust very much of what comes out of $_SERVER.
Reply
#3

you're right. i just saw the entry in the apache log and thought i should eliminate it. problem solved (or at least gone away)
Thanks, Bill
Reply
#4

Do not use $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] without validation.
Attackers may set any value to them.
Reply
#5

(02-26-2023, 07:17 PM)kenjis Wrote: Do not use $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] without validation.
Attackers may set any value to them.

thanks, I'm slowly learning
Reply




Theme © iAndrew 2016 - Forum software by © MyBB