Answer the question
In order to leave comments, you need to log in
How to safely use HTTP_HOST and SERVER_NAME?
Many people use the HTTP_HOST and SERVER_NAME variables. How to safely use these variables? According to the PHP documentation, if I understand correctly, HTTP_HOST and SERVER_NAME are vulnerable. What to do in a situation where you need to get HOSTNAME?
// Пример, часто встречается в различных приложениях.
$hostName = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : 'localhost');
Answer the question
In order to leave comments, you need to log in
are you talking about this article ?
HTTP_HOST is what comes in the headers from the client (may be spoofed).
SERVER_NAME is what is written in the web server settings (does not change).
the problem is only if your script is run as default host on the server. there you can replace both, but there is already a problem with the user who configured it this way.
if you are afraid of xss via host, escape it when outputting.
sql inj is unlikely to be allowed nowadays.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question