View Full Version : Can $_SERVER['DOCUMENT_ROOT'] be trusted?
03-30-2010, 12:36 PM
I keep reading that we can't always trust what's returned in $_SERVER.
That's fine, but I'm still unclear, however, whether this applies to all its values, or only to some.
Is $_SERVER['DOCUMENT_ROOT'] foolproof, for example, or should I be wary of depending on it for finding absolute paths?
03-30-2010, 01:06 PM
On the whole, $_SERVER can be trusted to be accurate, but may contain dangerous values. DOCUMENT_ROOT should always be sane because it is a local filesystem path that does not come from the client. Bare in mind that keys such as REQUEST_URI, are essentially provided by the client and should be filtered (http://uk2.php.net/manual/en/book.filter.php).
DOCUMENT_ROOT is defined in your configuration file, so, do you trust yourself? :)
03-30-2010, 02:02 PM
DOCUMENT_ROOT is defined in your configuration file, so, do you trust yourself?
Well, that's thrown me!
I've been using the constants DOCUMENT_ROOT and SERVER_NAME on the presumption that they're inbuilt constants of PHP's, and were somehow being calculated by PHP for me.
Are you telling me that they are defined in php.ini ?
While we're at it, I'd appreciate someone giving the following the once-over... Any suggestions for improvements / words of caution about calculating these constants as I'm doing?
define('ROOT', substr($_SERVER['DOCUMENT_ROOT'], (strrpos($_SERVER['DOCUMENT_ROOT'], '/')+1)).DIRECTORY_SEPARATOR);
define('DOMAIN', (substr($_SERVER['SERVER_NAME'], 0, 4) != 'www.') ? $_SERVER['SERVER_NAME'] : substr($_SERVER['SERVER_NAME'], 4));
//= /home/user/public_html/domain/shared/ ("shared/" being a symlink)
Powered by vBulletin® Version 4.2.2 Copyright © 2015 vBulletin Solutions, Inc. All rights reserved.