...

View Full Version : Can $_SERVER['DOCUMENT_ROOT'] be trusted?



cfructose
03-30-2010, 12:36 PM
I keep reading that we can't always trust what's returned in $_SERVER.

That's fine, but I'm still unclear, however, whether this applies to all its values, or only to some.

Is $_SERVER['DOCUMENT_ROOT'] foolproof, for example, or should I be wary of depending on it for finding absolute paths?

xconspirisist
03-30-2010, 01:06 PM
On the whole, $_SERVER can be trusted to be accurate, but may contain dangerous values. DOCUMENT_ROOT should always be sane because it is a local filesystem path that does not come from the client. Bare in mind that keys such as REQUEST_URI, are essentially provided by the client and should be filtered (http://uk2.php.net/manual/en/book.filter.php).

DOCUMENT_ROOT is defined in your configuration file, so, do you trust yourself? :)

http://uk2.php.net/manual/en/reserved.variables.server.php

cfructose
03-30-2010, 02:02 PM
DOCUMENT_ROOT is defined in your configuration file, so, do you trust yourself?

LOL.

Well, that's thrown me!

I've been using the constants DOCUMENT_ROOT and SERVER_NAME on the presumption that they're inbuilt constants of PHP's, and were somehow being calculated by PHP for me.
Are you telling me that they are defined in php.ini ?

While we're at it, I'd appreciate someone giving the following the once-over... Any suggestions for improvements / words of caution about calculating these constants as I'm doing?



define('ABS_ROOT', $_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR);
//= /home/user/public_html/domain/

define('ROOT', substr($_SERVER['DOCUMENT_ROOT'], (strrpos($_SERVER['DOCUMENT_ROOT'], '/')+1)).DIRECTORY_SEPARATOR);
//= domain/

define('URL', 'http://'.$_SERVER['SERVER_NAME'].DIRECTORY_SEPARATOR);
//= http://www.domain/

define('DOMAIN', (substr($_SERVER['SERVER_NAME'], 0, 4) != 'www.') ? $_SERVER['SERVER_NAME'] : substr($_SERVER['SERVER_NAME'], 4));
//= domain

define('SHARED', ABS_ROOT.'shared'.DIRECTORY_SEPARATOR);
//= /home/user/public_html/domain/shared/ ("shared/" being a symlink)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum