View Full Version : Can $_SERVER['DOCUMENT_ROOT'] be trusted?

03-30-2010, 12:36 PM
I keep reading that we can't always trust what's returned in $_SERVER.

That's fine, but I'm still unclear, however, whether this applies to all its values, or only to some.

Is $_SERVER['DOCUMENT_ROOT'] foolproof, for example, or should I be wary of depending on it for finding absolute paths?

03-30-2010, 01:06 PM
On the whole, $_SERVER can be trusted to be accurate, but may contain dangerous values. DOCUMENT_ROOT should always be sane because it is a local filesystem path that does not come from the client. Bare in mind that keys such as REQUEST_URI, are essentially provided by the client and should be filtered (http://uk2.php.net/manual/en/book.filter.php).

DOCUMENT_ROOT is defined in your configuration file, so, do you trust yourself? :)


03-30-2010, 02:02 PM
DOCUMENT_ROOT is defined in your configuration file, so, do you trust yourself?


Well, that's thrown me!

I've been using the constants DOCUMENT_ROOT and SERVER_NAME on the presumption that they're inbuilt constants of PHP's, and were somehow being calculated by PHP for me.
Are you telling me that they are defined in php.ini ?

While we're at it, I'd appreciate someone giving the following the once-over... Any suggestions for improvements / words of caution about calculating these constants as I'm doing?

//= /home/user/public_html/domain/

//= domain/

//= http://www.domain/

define('DOMAIN', (substr($_SERVER['SERVER_NAME'], 0, 4) != 'www.') ? $_SERVER['SERVER_NAME'] : substr($_SERVER['SERVER_NAME'], 4));
//= domain

//= /home/user/public_html/domain/shared/ ("shared/" being a symlink)

EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum