Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179839 is a reply to message #179832] |
Tue, 11 December 2012 16:26 |
M. Strobel
Messages: 386 Registered: December 2011
Karma:
|
Senior Member |
|
|
Am 11.12.2012 11:53, schrieb Tony Marston:
> I always understood than when activated through a web browser that
> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain name under
> which the script was being run, but I have come across some instances where both
> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is legitimate
> or not.
>
> I have an application which exists on a live server and a test server, with a
> different database for each, and they both share a common config file which
> identifies which server it is running on so that it can use the relevant database
> credentials. If the server name does not match either of the live or test domain
> names (such as mydomain.com and test.mydomain.com) then it uses invalid credentials
> which causes an error when attempting to access the database. I never though that
> this error would ever appear, but lately I have been getting errors such as the
> following:
>
> Fatal Error: mysqli_connect(): Access denied for user 'default'@'localhost' (using
> password: YES).
> Error in line 259 of file
> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
> PHP_SELF: /index.php
> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
> SERVER_ADDR: nnn.nnn.nnn.nnn
> SERVER_NAME: www.yahoo.com
> HTTP_HOST: www.yahoo.com
> REMOTE_ADDR: 109.108.142.236
> REQUEST_URI: http://www.yahoo.com/
>
> In order to run this script on my live server the URL should have been
> www.mydomain.com but here you can see it reported as www.yahoo.com. How is this
> possible?
I can think of several ways:
The client did not use HTTP/1.1 = client request without a hostname
Something like apache mod_rewrite on the server is doing it
any other misconfiguration on the server sites (hopefully temporary)
/Str.
|
|
|