| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179835 is a reply to message #179834] |
Tue, 11 December 2012 14:01   |
Paul Herber
Messages: 26
Registered: February 2011
Karma:
|
Junior Member |
|
|
On Tue, 11 Dec 2012 05:28:36 -0800, Scott Johnson <noonehome(at)chalupasworld(dot)com> wrote:
> On 12/11/2012 2:53 AM, Tony Marston wrote:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under which the script was being run, but I have come across some
>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>> I wondered if this is legitimate or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a different database for each, and they both share a common config
>> file which identifies which server it is running on so that it can use
>> the relevant database credentials. If the server name does not match
>> either of the live or test domain names (such as mydomain.com and
>> test.mydomain.com) then it uses invalid credentials which causes an
>> error when attempting to access the database. I never though that this
>> error would ever appear, but lately I have been getting errors such as
>> the following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this possible?
>>
>> Tony Marston
>>
>> http://www.tonymarston.net
>> http://www.radicore.org
>
> Not an expert but it sounds that maybe your server/PHP engine is not
> configured properly.
>
> I know REQUEST_URI should NOT be counted on.
>
> Who is your host provider?
>
> You may try phpinfo() to get the full list of data/variables set by your
> server. Some here may ask for that info to help you further.
>
> Scotty
If this is a script to process a form then be aware that anything can call the script
(including webbots (good and bad), other web pages, anything. All incoming information
could be forged.
--
Regards, Paul Herber, Sandrila Ltd.
http://www.sandrila.co.uk/ twitter: @sandrilaLtd
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]