Is there a good alternative to $ _SERVER ['SERVER_NAME']?

Question

Is there a good alternative to $ _SERVER ['SERVER_NAME']?

I read the following comment on PHP doc pages :

"Be warned that most Server-Array content (even $ _SERVER ['SERVER_NAME']) is provided by the client and can be manipulated. They can also be used for injection and thus MUST be checked and processed like any other user input."

Then, I saw the topic https://stackoverflow.com/a/167189/

Can I trust this value to get the URL of my website? If I cannot trust $ _SERVER ['SERVER_NAME'], how can I get this value? What are the possible alternatives and their pro and disadvantages?

OBS: PHP 5.3 on Apache, Unix.

+4

security php apache superglobals

ramonztro Sep 7 '12 at 13:59

source share

2 answers

I usually hardcode the "real" url to my site into a site configuration file. I would not rely on what Apache "says" to tell you your url. Do you have several different vhost aliases or servers pointing to the same docroot?

+3

Ray Sep 7 '12 at 14:02

source share

Axel isouard · Accepted Answer · 2012-09-07T14:02:47+0000

You can ensure the security of this variable by including the UseCanonicalName directive inside your Apache configuration, as described there http://www.apacheref.com/ref/http_core/UseCanonicalName.html

Is there a good alternative to $ _SERVER ['SERVER_NAME']?

More articles: