Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179855 is a reply to message #179835] |
Wed, 12 December 2012 13:05 |
Tony Marston
Messages: 57 Registered: November 2010
Karma:
|
Member |
|
|
"Paul Herber" wrote in message
news:sveec8dfsaseid5mqiv6cb5g3gro9euenn(at)news(dot)eternal-september(dot)org...
>
> On Tue, 11 Dec 2012 05:28:36 -0800, Scott Johnson
> <noonehome(at)chalupasworld(dot)com> wrote:
>
>> On 12/11/2012 2:53 AM, Tony Marston wrote:
>>> I always understood than when activated through a web browser that
>>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>>> name under which the script was being run, but I have come across some
>>> instances where both SERVER_NAME and HTTP_HOST appear to be spoofed, and
>>> I wondered if this is legitimate or not.
>>>
>>> I have an application which exists on a live server and a test server,
>>> with a different database for each, and they both share a common config
>>> file which identifies which server it is running on so that it can use
>>> the relevant database credentials. If the server name does not match
>>> either of the live or test domain names (such as mydomain.com and
>>> test.mydomain.com) then it uses invalid credentials which causes an
>>> error when attempting to access the database. I never though that this
>>> error would ever appear, but lately I have been getting errors such as
>>> the following:
>>>
>>> Fatal Error: mysqli_connect(): Access denied for user
>>> 'default'@'localhost' (using password: YES).
>>> Error in line 259 of file
>>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>>>
>>> PHP_SELF: /index.php
>>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>>> SERVER_ADDR: nnn.nnn.nnn.nnn
>>> SERVER_NAME: www.yahoo.com
>>> HTTP_HOST: www.yahoo.com
>>> REMOTE_ADDR: 109.108.142.236
>>> REQUEST_URI: http://www.yahoo.com/
>>>
>>> In order to run this script on my live server the URL should have been
>>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>>> is this possible?
>>>
>>> Tony Marston
>>>
>>> http://www.tonymarston.net
>>> http://www.radicore.org
>>
>> Not an expert but it sounds that maybe your server/PHP engine is not
>> configured properly.
>>
>> I know REQUEST_URI should NOT be counted on.
>>
>> Who is your host provider?
>>
>> You may try phpinfo() to get the full list of data/variables set by your
>> server. Some here may ask for that info to help you further.
>>
>> Scotty
>
> If this is a script to process a form then be aware that anything can call
> the script
> (including webbots (good and bad), other web pages, anything. All incoming
> information
> could be forged.
>
All my pages include the same config file in order the set the database
connection parameters according to which version of the website is being
used, live or test, but if the server name is not recognised as one of those
two it causes an error. But if this value can be spoofed, how is it possible
to identify, with absolute certainty, the name of the server on which the
application is running?
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|