| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179861 is a reply to message #179860] |
Thu, 13 December 2012 06:52   |
Tony Marston
Messages: 57
Registered: November 2010
Karma:
|
Member |
|
|
"The Natural Philosopher" wrote in message
news:kaam8e$n67$1(at)news(dot)albasani(dot)net...
>
> On 12/12/12 18:50, Daniel Pitts wrote:
>> On 12/12/12 9:22 AM, Tony Marston wrote:
>>> "Scott Johnson" wrote in message news:kaa0on$qjt$1(at)dont-email(dot)me...
>>>>
>>>> On 12/11/2012 11:25 PM, Tony Marston wrote:
>>>>
>>>> >> You may try phpinfo() to get the full list of data/variables set by
>>>> >> your server. Some here may ask for that info to help you further.
>>>> >
>>>> > The output from phpinfo() looks perfectly normal and correct. It shows
>>>> > the expected values for SERVER_NAME and HTTP_HOST.
>>>> >
>>>>
>>>> If you are getting the right value in SERVER_NAME and HTTP_HOST using
>>>> phpinfo() but are then getting a different value when you use the same
>>>> variable in your script, then you have an error in your script.
>>>
>>> These is no error in the script as it runs perfectly for thousands of
>>> requests, but occasionally it fails because $_SERVER['SERVER_NAME'] and
>>> $_SERVER['HOST_NAME'] contain values which are different from those
>>> which I expect and which are reported by phpinfo(). It appears that is
>>> *IS* possible for the client to spoof these values, as reported in
>>> http://shiflett.org/blog/2006/mar/server-name-versus-http-host
>>>
>>
>> The way that HTTP works, is that the client connects to the IP address,
>> and then sends the host name it was trying to connect to as part of the
>> headers. eg. Host: www.example.com. This allows for many virtual hosts
>> on a single IP/Port.
>>
>> What could happen is that someone's DNS is pointing to your IP, and so
>> you receive a request that was meant for a different URL.
>
> all of which can be overcome by setting up the web server to reject or
> redirect requests that have the wrong 'host' parameter...
And exactly how might that be done, O Great One?
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]