FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179856 is a reply to message #179839] Wed, 12 December 2012 13:10 Go to previous messageGo to previous message
Tony Marston is currently offline  Tony Marston
Messages: 57
Registered: November 2010
Karma:
Member
"M. Strobel" wrote in message news:aip563Ft79lU1(at)mid(dot)uni-berlin(dot)de...
>
> Am 11.12.2012 11:53, schrieb Tony Marston:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under
>> which the script was being run, but I have come across some instances
>> where both
>> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is
>> legitimate
>> or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a
>> different database for each, and they both share a common config file
>> which
>> identifies which server it is running on so that it can use the relevant
>> database
>> credentials. If the server name does not match either of the live or test
>> domain
>> names (such as mydomain.com and test.mydomain.com) then it uses invalid
>> credentials
>> which causes an error when attempting to access the database. I never
>> though that
>> this error would ever appear, but lately I have been getting errors such
>> as the
>> following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using
>> password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this
>> possible?
>
> I can think of several ways:
>
> The client did not use HTTP/1.1 = client request without a hostname
>
> Something like apache mod_rewrite on the server is doing it
>
> any other misconfiguration on the server sites (hopefully temporary)
>
> /Str.

There are no mod_rewrite settings on the server or any other settings which
would cause an error as the site has been is use for some while without
incident, but I am occasionally seeing errors like this because my script
cannot recognise the value in SERVER_NAME. Somebody is trying to access my
site, but somehow they are able to force the value of SERVER_NAME to be
something other than the domain name.

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Recommendations for PHP Chart generation?
Next Topic: Printing out or displaying for debugging
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Dec 02 20:20:22 GMT 2024

Total time taken to generate the page: 0.04586 seconds