Just a PHP file to put on your local server (as I don't have enough memory)
<?php
$indicesServer = array('PHP_SELF',
'argv',
'argc',
'GATEWAY_INTERFACE',
'SERVER_ADDR',
'SERVER_NAME',
'SERVER_SOFTWARE',
'SERVER_PROTOCOL',
'REQUEST_METHOD',
'REQUEST_TIME',
'REQUEST_TIME_FLOAT',
'QUERY_STRING',
'DOCUMENT_ROOT',
'HTTP_ACCEPT',
'HTTP_ACCEPT_CHARSET',
'HTTP_ACCEPT_ENCODING',
'HTTP_ACCEPT_LANGUAGE',
'HTTP_CONNECTION',
'HTTP_HOST',
'HTTP_REFERER',
'HTTP_USER_AGENT',
'HTTPS',
'REMOTE_ADDR',
'REMOTE_HOST',
'REMOTE_PORT',
'REMOTE_USER',
'REDIRECT_REMOTE_USER',
'SCRIPT_FILENAME',
'SERVER_ADMIN',
'SERVER_PORT',
'SERVER_SIGNATURE',
'PATH_TRANSLATED',
'SCRIPT_NAME',
'REQUEST_URI',
'PHP_AUTH_DIGEST',
'PHP_AUTH_USER',
'PHP_AUTH_PW',
'AUTH_TYPE',
'PATH_INFO',
'ORIG_PATH_INFO') ;
echo '<table cellpadding="10">' ;
foreach ($indicesServer as $arg) {
if (isset($_SERVER[$arg])) {
echo '<tr><td>'.$arg.'</td><td>' . $_SERVER[$arg] . '</td></tr>' ;
}
else {
echo '<tr><td>'.$arg.'</td><td>-</td></tr>' ;
}
}
echo '</table>' ;
/*
That will give you the result of each variable like (if the file is server_indices.php at the root and Apache Web directory is in E:\web) :
PHP_SELF /server_indices.php
argv -
argc -
GATEWAY_INTERFACE CGI/1.1
SERVER_ADDR 127.0.0.1
SERVER_NAME localhost
SERVER_SOFTWARE Apache/2.2.22 (Win64) PHP/5.3.13
SERVER_PROTOCOL HTTP/1.1
REQUEST_METHOD GET
REQUEST_TIME 1361542579
REQUEST_TIME_FLOAT -
QUERY_STRING
DOCUMENT_ROOT E:/web/
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_CHARSET ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP_ACCEPT_ENCODING gzip,deflate,sdch
HTTP_ACCEPT_LANGUAGE fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
HTTP_CONNECTION keep-alive
HTTP_HOST localhost
HTTP_REFERER http://localhost/
HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
HTTPS -
REMOTE_ADDR 127.0.0.1
REMOTE_HOST -
REMOTE_PORT 65037
REMOTE_USER -
REDIRECT_REMOTE_USER -
SCRIPT_FILENAME E:/web/server_indices.php
SERVER_ADMIN myemail@personal.us
SERVER_PORT 80
SERVER_SIGNATURE
PATH_TRANSLATED -
SCRIPT_NAME /server_indices.php
REQUEST_URI /server_indices.php
PHP_AUTH_DIGEST -
PHP_AUTH_USER -
PHP_AUTH_PW -
AUTH_TYPE -
PATH_INFO -
ORIG_PATH_INFO -
*/
?>
$_SERVER
$HTTP_SERVER_VARS [видалена]
(PHP 4 >= 4.1.0, PHP 5)
$_SERVER -- $HTTP_SERVER_VARS [видалена] — Інформація про серверне та виконавче оточення
Опис
Змінна $_SERVER є масивом (array), що містить таку інформацію як заголовки, шляхи та розташування скриптів. Записи в цьому масиві створює веб-сервер. Немає гарантії того, що кожен веб-сервер буде надавати всі ці записи; веб-сервери можуть опускати деякі з цих змінних, або надавати інші, незазначені в списку, що наведено нижче. Тим не менше, але більша частина з цих змінних взяті на облік в » специфікації CGI/1.1, отже вам варто бути готовим до них.
Змінна $HTTP_SERVER_VARS містить таку ж ініціалізуючу інформацію, але не є суперглобальною. (Зауважте, що $HTTP_SERVER_VARS та $_SERVER є різними змінними, а тому PHP обробляє їх як такі). Також майте на увазі, що масиви з довгою назвою були видалені починаючи з PHP 5.4.0, отже змінної $HTTP_SERVER_VARS більше не існує.
Індекси
Ви можете знайти (а можете і не знайти) будь-який з наступних елементів в $_SERVER. Невелика кількість з них може бути доступною (або дійсно матиме значення), якщо ви запускаєте PHP з командного рядка.
- 'PHP_SELF'
- Шлях до файла, де в даний момент запущено скрипт, відносно кореневого каталогу документів веб-сервера (document root). Наприклад, $_SERVER['PHP_SELF'] в скрипті за адресою http://example.com/foo/bar.php буде /foo/bar.php. Константа __FILE__ містить повний шлях та назву поточного (тобто підключеного) файла. Якщо PHP запущено з командного рядка, ця змінна містить назву скрипта починаючи з PHP 4.3.0, що раніше було недоступно.
- 'argv'
- Масив аргументів, переданих до скрипта. Коли скрипт запущено з командного рядка, то є можливість передавати до нього параметри в C-стилі. При виклику через метод GET, цей масив містить рядок запита.
- 'argc'
- Містить число параметрів, переданих до скрипта з командного рядка (якщо скрипт запущено з командного рядка).
- 'GATEWAY_INTERFACE'
- Назва та номер ревізії специфікації CGI сервера, що використовується; наприклад, 'CGI/1.1'.
- 'SERVER_ADDR'
- IP-адреса сервера, під яким поточний скрипт виконується.
- 'SERVER_NAME'
- Назва хоста сервера, під яким поточний скрипт виконується. Якщо скрипт запущено на віртуальному хості, ця змінна міститиме його назву.
- 'SERVER_SOFTWARE'
- Ідентифікаційний рядок сервера, передається в заголовках при відповіді на запит.
- 'SERVER_PROTOCOL'
- Назва та номер ревізії протоколу, через який було запитано сторінку; наприклад, 'HTTP/1.0';
- 'REQUEST_METHOD'
-
Назва метода, що використовувався при запиті сторінки;
тобто 'GET',
'HEAD', 'POST',
'PUT'.
Зауваження:
Скрипт PHP завершує роботу після відправки заголовків (тобто, після здійснення будь-якого виводу без його буферизації) якщо метод запита був HEAD.
- 'REQUEST_TIME'
- Мітка часу, коли почався запит. Доступна починаючи з PHP 5.1.0.
- 'REQUEST_TIME_FLOAT'
- Мітка часу, коли почався запит, з точністю до мікросекунд. Доступна починаючи з PHP 5.4.0.
- 'QUERY_STRING'
- Рядок запиту, якщо він є, через який доступились до сторінки.
- 'DOCUMENT_ROOT'
- Коренева директорія документів (document root), з під якої поточний скрипт виконується; вона визначається в конфігураційному файлі веб-сервера.
- 'HTTP_ACCEPT'
- Вміст заголовка Accept: з поточного запита, якщо він є.
- 'HTTP_ACCEPT_CHARSET'
- Вміст заголовка Accept-Charset: з поточного запита, якщо він є. Наприклад: 'iso-8859-1,*,utf-8'.
- 'HTTP_ACCEPT_ENCODING'
- Вміст заголовка Accept-Encoding: з поточного запита, якщо він є. Наприклад: 'gzip'.
- 'HTTP_ACCEPT_LANGUAGE'
- Вміст заголовка Accept-Language: з поточного запита, якщо він є. Наприклад: 'uk'.
- 'HTTP_CONNECTION'
- Вміст заголовка Connection: з поточного запита, якщо він є. Наприклад: 'Keep-Alive'.
- 'HTTP_HOST'
- Вміст заголовка Host: з поточного запита, якщо він є.
- 'HTTP_REFERER'
- Адреса сторінки (якщо така є), з якої користувач перейшов на поточну сторінку. Це значення встановлюється браузером. Не всі браузери встановлюють це значення, а деякі надають можливість модифікувати HTTP_REFERERв якості додаткової можливості. Якщо коротко - цьому значенню не можна довіряти.
- 'HTTP_USER_AGENT'
- Вміст заголовка User-Agent: з поточного запита, якщо він є. Цей рядок містить позначення браузера користувача, з якого було запрошено поточну сторінку. Типовий приклад такого рядка: Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586). Серед іншого, ви можете використовувати це значення з get_browser(), щоб адаптувати вивід вашої сторінки під можливості браузера користувача.
- 'HTTPS'
-
Має непусте значення, якщо скрипт було запитано через протокол HTTPS.
Зауваження: При використанні ISAPI разом з IIS, матиме значення off, якщо запит було здійснено не через протокол HTTPS.
- 'REMOTE_ADDR'
- IP-адреса, з якої користувач переглядає поточну сторінку.
- 'REMOTE_HOST'
-
Назва хоста, з якого користувач переглядає поточну сторінку. Зворотній
пошук DNS базується на REMOTE_ADDR користувача.
Зауваження: Ваш веб-сервер повинен бути сконфігурований, щоб створювати цю змінну. Наприклад, в Apache вам потрібно HostnameLookups On у файлі httpd.conf, щоб вона існувала. Див. також gethostbyaddr().
- 'REMOTE_PORT'
- Порт, який було використано на комп'ютері користувача, для зв'язку з веб-сервером.
- 'REMOTE_USER'
- Ім'я авторизованого користувача.
- 'REDIRECT_REMOTE_USER'
- Ім'я авторизованого користувача, якщо запит має внутрішню переадресацію.
- 'SCRIPT_FILENAME'
-
Абсолютний шлях до поточного скрипта, що виконується.
Зауваження:
Якщо скрипт виконується через CLI, з використанням відносного шляху, такого як file.php чи ../file.php, $_SERVER['SCRIPT_FILENAME'] буде містити цей відносний шлях, визначений користувачем.
- 'SERVER_ADMIN'
- Значення, що встановлено для директиви SERVER_ADMIN (для Apache) в конфігураційному файлі веб-сервера. Якщо скрипт запущено на віртуальному хості, SERVER_ADMIN матиме значення, визначене для даного віртуального хоста.
- 'SERVER_PORT'
-
Порт сервера, який використовується веб-сервером для зв'язку.
Початково, встановлюється значення '80'.
Але використовуючи SSL, наприклади, це значення буде таким, яке
вказано в конфіг-файлі для з'єднання через безпечний HTTP-порт.
Зауваження: На Apache 2, ви повинні встановити UseCanonicalName = On, а також UseCanonicalPhysicalPort = On для того, щоб отримати фізичний (реальний) порт, бо в іншому випадку, це значення може підмінятись, а тому не буде повертатись значення фізичного порта. Спиратись на це значення небезпечно в контексті, коли є потреба в посиленій безпеці.
- 'SERVER_SIGNATURE'
- Рядок, що містить версію веб-сервера та назву віртуального хоста, які додаються до сторінок, якщо на веб-сервері ця функціональність підключена.
- 'PATH_TRANSLATED'
-
Шлях, що базується на файловій системі (а не на шляху до кореневого
каталога документів), який веде до поточного скрипта. PATH_TRANSLATED
матиме значення, якщо створено співставлення (мапінг) між назвою
віртуального хоста та реальним шляхом до його каталога.
Зауваження: Починаючи з PHP 4.3.2, PATH_TRANSLATED більше не встановлюється явно на SAPI Apache 2, на відміну від Apache 1, де для неї встановлюється те ж саме значення, що і для змінної сервера SCRIPT_FILENAME, коли її не заповнено через конфіг-файли. Ця зміна була зроблена для відповідності зі специфікацією CGI, яка говорить, що змінна PATH_TRANSLATED повинна існувати тільки тоді, коли PATH_INFO є визначеною. Користувачі Apache 2 можуть використовувати AcceptPathInfo = On у файлі httpd.conf, щоб визначити PATH_INFO.
- 'SCRIPT_NAME'
- Містить шлях до поточного скрипта. Це є корисним для сторінок, які повинні посилатись на самих себе. Константа __FILE__ містить повний шлях та назву файла до поточного (тобто підключеного) файла.
- 'REQUEST_URI'
- URI, яке передається для доступу до поточного скрипта; наприклад, '/index.html'.
- 'PHP_AUTH_DIGEST'
- При виконанні Digest HTTP автентифікації, цій змінній передається значення заголовка 'Authorization', що присилається клієнтом (який потім потрібно використовувати при відповідній перевірці).
- 'PHP_AUTH_USER'
- При виконанні HTTP автентифікації, цій змінній передається значення імені користувача, що передає користувач.
- 'PHP_AUTH_PW'
- При виконанні HTTP автентифікації, цій змінній передається значення пароля, що перередає користувач.
- 'AUTH_TYPE'
- При виконанні HTTP автентифікації, цій змінній передається значення типу автентифікації.
- 'PATH_INFO'
- Містить будь-який шлях, що надається клієнтом в кінці назви поточного скрипта, але передує рядку запита (якщо є). Наприклад, якщо до поточного скрипта доступаються через URL http://www.example.com/php/path_info.php/some/stuff?foo=bar, то $_SERVER['PATH_INFO'] буде містити /some/stuff.
- 'ORIG_PATH_INFO'
- Оригінальна версія 'PATH_INFO' перед обробкою її через PHP.
Журнал Змін
| Версія | Опис |
|---|---|
| 5.4.0 | Змінна $HTTP_SERVER_VARS більше не доступна через те, що відповідні довгі масиви було видалено. |
| 5.3.0 | Директива register_long_arrays, що підключала $HTTP_SERVER_VARS, стала застарілою. |
| 4.1.0 | Вводиться $_SERVER на заміну застарілої $HTTP_SERVER_VARS. |
Приклади
Приклад #1 Використання $_SERVER
<?php
echo $_SERVER['SERVER_NAME'];
?>
Наведений вище приклад виведе щось подібне до:
www.example.com
Примітки
Зауваження:
Це є "суперглобальна", або автоматична глобальна змінна. Тобто ця змінна доступна у всіх областях видимості скрипта, та її не потрібно оголошувати як global $variable; щоб отримати доступ до неї всередині функції чи метода.
add a note
User Contributed Notes 45 notes
zeufonlinux at gmail dot com ¶
11 years ago
vcoletti at tiscali dot it ¶
4 years ago
To list all the $_SERVER parameters, simply do:
foreach ($_SERVER as $parm => $value) echo "$parm = '$value'\n";
No need to list all possible keys of the array.
Vladimir Kornea ¶
15 years ago
1. All elements of the $_SERVER array whose keys begin with 'HTTP_' come from HTTP request headers and are not to be trusted.
2. All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'.
3. $_SERVER['PHP_SELF'] is dangerous if misused. If login.php/nearly_arbitrary_string is requested, $_SERVER['PHP_SELF'] will contain not just login.php, but the entire login.php/nearly_arbitrary_string. If you've printed $_SERVER['PHP_SELF'] as the value of the action attribute of your form tag without performing HTML encoding, an attacker can perform XSS attacks by offering users a link to your site such as this:
<a href='http://www.example.com/login.php/"><script type="text/javascript">...</script><span a="'>Example.com</a>
The javascript block would define an event handler function and bind it to the form's submit event. This event handler would load via an <img> tag an external file, with the submitted username and password as parameters.
Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. HTML encode every string sent to the browser that should not be interpreted as HTML, unless you are absolutely certain that it cannot contain anything that the browser can interpret as HTML.
pierstoval at example dot com ¶
7 years ago
As PHP $_SERVER var is populated with a lot of vars, I think it's important to say that it's also populated with environment vars.
For example, with a PHP script, we can have this:
MY_ENV_VAR=Hello php -r 'echo $_SERVER["MY_ENV_VAR"];'
Will show "Hello".
But, internally, PHP makes sure that "internal" keys in $_SERVER are not overriden, so you wouldn't be able to do something like this:
REQUEST_TIME=Hello php -r 'var_dump($_SERVER["REQUEST_TIME"]);'
Will show something like 1492897785
However, a lot of vars are still vulnerable from environment injection.
I created a gist here ( https://gist.github.com/Pierstoval/f287d3e61252e791a943dd73874ab5ee ) with my PHP configuration on windows with PHP7.0.15 on WSL with bash, the results are that the only "safe" vars are the following:
PHP_SELF
SCRIPT_NAME
SCRIPT_FILENAME
PATH_TRANSLATED
DOCUMENT_ROOT
REQUEST_TIME_FLOAT
REQUEST_TIME
argv
argc
All the rest can be overriden with environment vars, which is not very cool actually because it can break PHP applications sometimes...
(and I only tested on CLI, I had no patience to test with Apache mod_php or Nginx + PHP-FPM, but I can imagine that not a lot of $_SERVER properties are "that" secure...)
MarkAgius at markagius dot co dot uk ¶
12 years ago
You have missed 'REDIRECT_STATUS'
Very useful if you point all your error pages to the same file.
File; .htaccess
# .htaccess file.
ErrorDocument 404 /error-msg.php
ErrorDocument 500 /error-msg.php
ErrorDocument 400 /error-msg.php
ErrorDocument 401 /error-msg.php
ErrorDocument 403 /error-msg.php
# End of file.
File; error-msg.php
<?php
$HttpStatus = $_SERVER["REDIRECT_STATUS"] ;
if($HttpStatus==200) {print "Document has been processed and sent to you.";}
if($HttpStatus==400) {print "Bad HTTP request ";}
if($HttpStatus==401) {print "Unauthorized - Iinvalid password";}
if($HttpStatus==403) {print "Forbidden";}
if($HttpStatus==500) {print "Internal Server Error";}
if($HttpStatus==418) {print "I'm a teapot! - This is a real value, defined in 1998";}
?>
chris at ocproducts dot com ¶
7 years ago
Guide to absolute paths...
Data: __FILE__
Data type: String
Purpose: The absolute pathname of the running PHP file, including the filename.
Caveat: This is not the file called by the PHP processor, it's what is running. So if you are inside an include, it's the include.
Caveat: Symbolic links are pre-resolved, so don't trust comparison of paths to be accurate.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: Yes
Data: __DIR__
Data type: String
Purpose: The absolute pathname to the running PHP file, excluding the filename
Caveat: This is not the file called by the PHP processor, it's what is running. So if you are inside an include, it's the include.
Caveat: Symbolic links are pre-resolved, so don't trust comparison of paths to be accurate.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: Yes
Data: $_SERVER['SCRIPT_FILENAME']
Data type: String
Purpose: The absolute pathname of the origin PHP file, including the filename
Caveat: Not set on all PHP environments, may need setting by copying from __FILE__ before other files are included.
Caveat: Symbolic links are not pre-resolved, use PHP's 'realpath' function if you need it resolved.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Caveat: "Filename" makes you think it is just a filename, but it really is the full absolute pathname. Read the identifier as "Script's filesystem (path)name".
Works on web mode: Yes
Works on CLI mode: Yes
Data: $_SERVER['PATH_TRANSLATED']
Data type: String
Purpose: The absolute pathname of the origin PHP file, including the filename
Caveat: It's probably not set, best to just not use it. Just use realpath($_SERVER['SCRIPT_FILENAME']) (and be aware that itself may need to have been emulated).
Caveat: Symbolic links are pre-resolved, so don't trust comparison of paths to be accurate.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: No
Data: $_SERVER['DOCUMENT_ROOT']
Data type: String
Purpose: Get the absolute path to the web server's document root. No trailing slash.
Caveat: Don't trust this to be set, or set correctly, unless you control the server environment.
Caveat: May or may not have symbolic links pre-resolved, use PHP's 'realpath' function if you need it resolved.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: No
Note that if something is not set it may be missing from $_SERVER, or it may be blank, so use PHP's 'empty' function for your test.
Note that if you call "php --info" on the command line then naturally some of these settings are going to be blank, as no PHP file is involved.
krinklemail at gmail dot com ¶
11 years ago
If requests to your PHP script send a header "Content-Type" or/ "Content-Length" it will, contrary to regular HTTP headers, not appear in $_SERVER as $_SERVER['HTTP_CONTENT_TYPE']. PHP removes these (per CGI/1.1 specification[1]) from the HTTP_ match group.
They are still accessible, but only if the request was a POST request. When it is, it'll be available as:
$_SERVER['CONTENT_LENGTH']
$_SERVER['CONTENT_TYPE']
[1] https://www.ietf.org/rfc/rfc3875
jonbarnett at gmail dot com ¶
15 years ago
It's worth noting that $_SERVER variables get created for any HTTP request headers, including those you might invent:
If the browser sends an HTTP request header of:
X-Debug-Custom: some string
Then:
<?php
$_SERVER['HTTP_X_DEBUG_CUSTOM']; // "some string"
?>
There are better ways to identify the HTTP request headers sent by the browser, but this is convenient if you know what to expect from, for example, an AJAX script with custom headers.
Works in PHP5 on Apache with mod_php. Don't know if this is true from other environments.
Tonin ¶
15 years ago
When using the $_SERVER['SERVER_NAME'] variable in an apache virtual host setup with a ServerAlias directive, be sure to check the UseCanonicalName apache directive. If it is On, this variable will always have the apache ServerName value. If it is Off, it will have the value given by the headers sent by the browser.
Depending on what you want to do the content of this variable, put in On or Off.
ywarnier at beeznest dot org ¶
6 years ago
Note that $_SERVER['REQUEST_URI'] might include the scheme and domain in certain cases.
This happens, for example, when calling the page through a call to stream_context_create() with a HTTP header of 'request_fulluri' set to 1.
For example:
$http = ['request_fulluri' => 1, /* other params here */];
$context = stream_context_create(array( 'http' => $http ));
$fp = fopen($some_url, 'rb', false, $context);
When outputting $_SERVER['REQUEST_URI'] on the server at $some_url, you will get
https://some_url/some_script.php
Remove the request_fulluri => 1 option, and $_SERVER['REQUEST_URI'] gets back to its "normal":
/some_script.php
Apparently, request_fulluri is useful when using some proxy servers.
In this case, there is no proper way to "detect" if this option was set or not, and you should probably use a combination of other $_SERVER[] elements (like REQUEST_SCHEME, SERVER_NAME and SERVER_PORT) to determine if this was the case.
One quick (and improvable) way to detect it would be to compare the start of the REQUEST_URI with REQUEST_SCHEME:
$scheme = $_SERVER['REQUEST_SCHEME'] . '://';
if (strcmp(substr($_SERVER['REQUEST_URI'], 0, strlen($scheme)), $scheme) === 0) {
// request_fulluri was set
}
Mark Simon ¶
4 years ago
So near, and yet so far …
$_SERVER has nearly everything you need to know about the current web page environment. Something which would have been handy is easy access to the protocol and the actual web root.
For the protocol, you may or may not have $_SERVER['HTTPS'] and it may or may not be empty. For the web root, $_SERVER['DOCUMENT_ROOT'] depends on the server configuration, and doesn’t work for virtual hosts.
For practical purposes, I normally include something like the following in my scripts:
<?php
// Web Root
// Usage: include("$root/includes/something.inc.php");
$root = $_SERVER['WEB_ROOT'] = str_replace($_SERVER['SCRIPT_NAME'],'',$_SERVER['SCRIPT_FILENAME']);
// Host & Protocol
// Usage: $url = "$protocol://$host/images/something.jpg";
$host = $_SERVER['HTTP_HOST'];
$protocol=$_SERVER['PROTOCOL'] = isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ? 'https' : 'http';
?>
steve at sc-fa dot com ¶
14 years ago
If you are serving from behind a proxy server, you will almost certainly save time by looking at what these $_SERVER variables do on your machine behind the proxy.
$_SERVER['HTTP_X_FORWARDED_FOR'] in place of $_SERVER['REMOTE_ADDR']
$_SERVER['HTTP_X_FORWARDED_HOST'] and
$_SERVER['HTTP_X_FORWARDED_SERVER'] in place of (at least in our case,) $_SERVER['SERVER_NAME']
Richard York ¶
14 years ago
Not documented here is the fact that $_SERVER is populated with some pretty useful information when accessing PHP via the shell.
["_SERVER"]=>
array(24) {
["MANPATH"]=>
string(48) "/usr/share/man:/usr/local/share/man:/usr/X11/man"
["TERM"]=>
string(11) "xterm-color"
["SHELL"]=>
string(9) "/bin/bash"
["SSH_CLIENT"]=>
string(20) "127.0.0.1 41242 22"
["OLDPWD"]=>
string(60) "/Library/WebServer/Domains/www.example.com/private"
["SSH_TTY"]=>
string(12) "/dev/ttys000"
["USER"]=>
string(5) "username"
["MAIL"]=>
string(15) "/var/mail/username"
["PATH"]=>
string(57) "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin"
["PWD"]=>
string(56) "/Library/WebServer/Domains/www.example.com/www"
["SHLVL"]=>
string(1) "1"
["HOME"]=>
string(12) "/Users/username"
["LOGNAME"]=>
string(5) "username"
["SSH_CONNECTION"]=>
string(31) "127.0.0.1 41242 10.0.0.1 22"
["_"]=>
string(12) "/usr/bin/php"
["__CF_USER_TEXT_ENCODING"]=>
string(9) "0x1F5:0:0"
["PHP_SELF"]=>
string(10) "Shell.php"
["SCRIPT_NAME"]=>
string(10) "Shell.php"
["SCRIPT_FILENAME"]=>
string(10) "Shell.php"
["PATH_TRANSLATED"]=>
string(10) "Shell.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1247162183)
["argv"]=>
array(1) {
[0]=>
string(10) "Shell.php"
}
["argc"]=>
int(1)
}
Stefano (info at sarchittu dot org) ¶
13 years ago
A way to get the absolute path of your page, independent from the site position (so works both on local machine and on server without setting anything) and from the server OS (works both on Unix systems and Windows systems).
The only parameter it requires is the folder in which you place this script
So, for istance, I'll place this into my SCRIPT folder, and I'll write SCRIPT word length in $conflen
<?php
$conflen=strlen('SCRIPT');
$B=substr(__FILE__,0,strrpos(__FILE__,'/'));
$A=substr($_SERVER['DOCUMENT_ROOT'], strrpos($_SERVER['DOCUMENT_ROOT'], $_SERVER['PHP_SELF']));
$C=substr($B,strlen($A));
$posconf=strlen($C)-$conflen-1;
$D=substr($C,1,$posconf);
$host='http://'.$_SERVER['SERVER_NAME'].'/'.$D;
?>
$host will finally contain the absolute path.
rulerof at gmail dot com ¶
13 years ago
I needed to get the full base directory of my script local to my webserver, IIS 7 on Windows 2008.
I ended up using this:
<?php
function GetBasePath() {
return substr($_SERVER['SCRIPT_FILENAME'], 0, strlen($_SERVER['SCRIPT_FILENAME']) - strlen(strrchr($_SERVER['SCRIPT_FILENAME'], "\\")));
}
?>
And it returned C:\inetpub\wwwroot\<applicationfolder> as I had hoped.
chris ¶
14 years ago
A table of everything in the $_SERVER array can be found near the bottom of the output of phpinfo();
Tom ¶
11 years ago
Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input.
info at mtprod dot com ¶
15 years ago
On Windows IIS 7 you must use $_SERVER['LOCAL_ADDR'] rather than $_SERVER['SERVER_ADDR'] to get the server's IP address.
chris at ocproducts dot com ¶
7 years ago
Guide to URL paths...
Data: $_SERVER['PHP_SELF']
Data type: String
Purpose: The URL path name of the current PHP file, including path-info (see $_SERVER['PATH_INFO']) and excluding URL query string. Includes leading slash.
Caveat: This is after URL rewrites (i.e. it's as seen by PHP, not necessarily the original call URL).
Works on web mode: Yes
Works on CLI mode: Tenuous (emulated to contain just the exact call path of the CLI script, with whatever exotic relative pathname you may call with, not made absolute and not normalised or pre-resolved)
Data: $_SERVER['SCRIPT_NAME']
Data type: String
Purpose: The URL path name of the current PHP file, excluding path-info and excluding URL query string. Includes leading slash.
Caveat: This is after URL rewrites (i.e. it's as seen by PHP, not necessarily the original call URL).
Caveat: Not set on all PHP environments, may need setting via preg_replace('#\.php/.*#', '.php', $_SERVER['PHP_SELF']).
Works on web mode: Yes
Works on CLI mode: Tenuous (emulated to contain just the exact call path of the CLI script, with whatever exotic relative pathname you may call with, not made absolute and not normalised or pre-resolved)
Data: $_SERVER['REDIRECT_URL']
Data type: String
Purpose: The URL path name of the current PHP file, path-info is N/A and excluding URL query string. Includes leading slash.
Caveat: This is before URL rewrites (i.e. it's as per the original call URL).
Caveat: Not set on all PHP environments, and definitely only ones with URL rewrites.
Works on web mode: Yes
Works on CLI mode: No
Data: $_SERVER['REQUEST_URI']
Data type: String
Purpose: The URL path name of the current PHP file, including path-info and including URL query string. Includes leading slash.
Caveat: This is before URL rewrites (i.e. it's as per the original call URL). *
*: I've seen at least one situation where this is not true (there was another $_SERVER variable to use instead supplied by the URL rewriter), but the author of the URL rewriter later fixed it so probably fair to dismiss this particular note.
Caveat: Not set on all PHP environments, may need setting via $_SERVER['REDIRECT_URL'] . '?' . http_build_query($_GET) [if $_SERVER['REDIRECT_URL'] is set, and imperfect as we don't know what GET parameters were originally passed vs which were injected in the URL rewrite] --otherwise-- $_SERVER['PHP_SELF'] . '?' . http_build_query($_GET).
Works on web mode: Yes
Works on CLI mode: No
Data: $_SERVER['PATH_INFO']
Data type: String
Purpose: Find the path-info, which is data after the .php filename in the URL call. It's a strange concept.
Caveat: Some environments may not support it, it is best avoided unless you have complete server control
Works on web mode: Yes
Works on CLI mode: No
Note that if something is not set it may be missing from $_SERVER, or it may be blank, so use PHP's 'empty' function for your test.
chris at ocproducts dot com ¶
7 years ago
Guide to script parameters...
Data: $_GET
Data type: Array (map)
Purpose: Contains all GET parameters (i.e. a parsed URL query string).
Caveat: GET parameter names have to be compliant with PHP variable naming, e.g. dots are not allowed and get substituted.
Works on web mode: Yes
Works on CLI mode: No
Data: $_SERVER['QUERY_STRING']
Data type: String
Purpose: Gets an unparsed URL query string.
Caveat: Not set on all PHP environments, may need setting via http_build_query($_GET).
Works on web mode: Yes
Works on CLI mode: No
Data: $_SERVER['argv']
Data type: Array (list)
Purpose: Get CLI call parameters.
Works on web mode: Tenuous (just contains a single parameter, the query string)
Works on CLI mode: Yes
php at isnoop dot net ¶
14 years ago
Use the apache SetEnv directive to set arbitrary $_SERVER variables in your vhost or apache config.
SetEnv varname "variable value"
mirko dot steiner at slashdevslashnull dot de ¶
14 years ago
<?php
// RFC 2616 compatible Accept Language Parser
// http://www.ietf.org/rfc/rfc2616.txt, 14.4 Accept-Language, Page 104
// Hypertext Transfer Protocol -- HTTP/1.1
foreach (explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) {
$pattern = '/^(?P<primarytag>[a-zA-Z]{2,8})'.
'(?:-(?P<subtag>[a-zA-Z]{2,8}))?(?:(?:;q=)'.
'(?P<quantifier>\d\.\d))?$/';
$splits = array();
printf("Lang:,,%s''\n", $lang);
if (preg_match($pattern, $lang, $splits)) {
print_r($splits);
} else {
echo "\nno match\n";
}
}
?>
example output:
Google Chrome 3.0.195.27 Windows xp
Lang:,,de-DE''
Array
(
[0] => de-DE
[primarytag] => de
[1] => de
[subtag] => DE
[2] => DE
)
Lang:,,de;q=0.8''
Array
(
[0] => de;q=0.8
[primarytag] => de
[1] => de
[subtag] =>
[2] =>
[quantifier] => 0.8
[3] => 0.8
)
Lang:,,en-US;q=0.6''
Array
(
[0] => en-US;q=0.6
[primarytag] => en
[1] => en
[subtag] => US
[2] => US
[quantifier] => 0.6
[3] => 0.6
)
Lang:,,en;q=0.4''
Array
(
[0] => en;q=0.4
[primarytag] => en
[1] => en
[subtag] =>
[2] =>
[quantifier] => 0.4
[3] => 0.4
)
sammyhacker at gmail dot com ¶
2 years ago
To put it simply, $_SERVER contains all the environment variables.
CGI works by an HTTP application server filling in all the required environment variables and invoking the PHP process. And these environment variables are stored under $_SERVER.
wbeaumo1 at gmail dot com ¶
13 years ago
Don't forget $_SERVER['HTTP_COOKIE']. It contains the raw value of the 'Cookie' header sent by the user agent.
plugwash at p10link dot net ¶
9 years ago
Be aware that it's a bad idea to access x-forwarded-for and similar headers through this array. The header names are mangled when populating the array and this mangling can introduce spoofing vulnerabilities.
See http://en.wikipedia.org/wiki/User:Brion_VIBBER/Cool_Cat_incident_report for details of a real world exploit of this.
wyattstorch42 at outlook dot com ¶
10 years ago
<?php
/*
* I wrote this because I was including a file with classes in it. Let's say that
* I have a contact page at mysite.com/contact/index.php and a Form class at
* mysite.com/classes/Form.php. So in index.php, I have this statement:
* require '../classes/Form.php';
* The Form class includes a method to generate the HTML markup for a number of
* form elements, including a CAPTCHA image and associated text field. To do so,
* it must generate an <img /> element and give it a src of Form.php?captcha.
* But I wanted it to automatically generate a src attribute without index.php
* giving it a relative path. This script comes in handy by automatically
* locating the directory that contains the included file (Form.php) and converting
* it from an absolute path to a relative path that could be used for an img src,
* an a href, a link href, etc.
*/
function relativeURL () {
$dir = str_replace('\\', '/', __DIR__);
// Resolves inconsistency with PATH_SEPARATOR on Windows vs. Linux
// Use dirname(__FILE__) in place of __DIR__ for older PHP versions
return substr($dir, strlen($_SERVER['DOCUMENT_ROOT']));
// Clip off the part of the path outside of the document root
}
/*
*contact/index.php
*/
require '../classes/Form.php';
new Form()->drawCaptchaField();
// Writes: <img src="/classes/Form.php?captcha" />
/*
* classes/Form.php
*/
if (isset($_GET['captcha'])) {
// generate/return CAPTCHA image
}
class Form {
// ...
public function drawCaptchaField () {
echo '<img src="'.relativeURL().'?captcha" />';
}
}
?>
lemonostif at gmail dot com ¶
4 years ago
PHP_SELF is a disgrace of a programmer's work. One of the most widespread PHP vulnerabilities since version 4 and the manual says nothing about the dangers. At least clarify that ITS VALUE CAN BE PROVIDED BY THE USER with capitals preferably if you want to make the internet a safer place...
DanielTahar ¶
3 years ago
To expand a bit on the price you could pay for relying on 'HTTP_REFERER': several large news sites I read often have paywalls, with cookies in place so you can only read X articles before you must subscribe; if using Incognito, they count the number of times you accessed via the same IP; everything to get you to subscribe. However, in order to be appealing, any visit where the 'HTTP_REFERER' is Google News will give you the entire article. I'm sure it's a dilemma their webmasters have, but for now any time someone sends you a story on one of them, all you have to do is search for the title and click the result from Google News. Bottom line: never count on it.
PS (1): ofcourse i'm talking about a friend. I pay for content.
PS (2): after some debate, the RFC decided to keep 'HTTP_REFERER', although it's misspelled.
jarrod at squarecrow dot com ¶
14 years ago
$_SERVER['DOCUMENT_ROOT'] is incredibly useful especially when working in your development environment. If you're working on large projects you'll likely be including a large number of files into your pages. For example:
<?php
//Defines constants to use for "include" URLS - helps keep our paths clean
define("REGISTRY_CLASSES", $_SERVER['DOCUMENT_ROOT']."/SOAP/classes/");
define("REGISTRY_CONTROLS", $_SERVER['DOCUMENT_ROOT']."/SOAP/controls/");
define("STRING_BUILDER", REGISTRY_CLASSES. "stringbuilder.php");
define("SESSION_MANAGER", REGISTRY_CLASSES. "sessionmanager.php");
define("STANDARD_CONTROLS", REGISTRY_CONTROLS."standardcontrols.php");
?>
In development environments, you're rarely working with your root folder, especially if you're running PHP locally on your box and using DOCUMENT_ROOT is a great way to maintain URL conformity. This will save you hours of work preparing your application for deployment from your box to a production server (not to mention save you the headache of include path failures).
jette at nerdgirl dot dk ¶
15 years ago
Windows running IIS v6 does not include $_SERVER['SERVER_ADDR']
If you need to get the IP addresse, use this instead:
<?php
$ipAddress = gethostbyname($_SERVER['SERVER_NAME']);
?>
pudding06 at gmail dot com ¶
14 years ago
Here's a simple, quick but effective way to block unwanted external visitors to your local server:
<?php
// only local requests
if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') die(header("Location: /"));
?>
This will direct all external traffic to your home page. Of course you could send a 404 or other custom error. Best practice is not to stay on the page with a custom error message as you acknowledge that the page does exist. That's why I redirect unwanted calls to (for example) phpmyadmin.
dtomasiewicz at gmail dot com ¶
13 years ago
To get an associative array of HTTP request headers formatted similarly to get_headers(), this will do the trick:
<?php
/**
* Transforms $_SERVER HTTP headers into a nice associative array. For example:
* array(
* 'Referer' => 'example.com',
* 'X-Requested-With' => 'XMLHttpRequest'
* )
*/
function get_request_headers() {
$headers = array();
foreach($_SERVER as $key => $value) {
if(strpos($key, 'HTTP_') === 0) {
$headers[str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))))] = $value;
}
}
return $headers;
}
?>
pomat at live dot it ¶
10 years ago
$_SERVER['DOCUMENT_ROOT'] may contain backslashes on windows systems, and of course it may or may not have a trailing slash (backslash).
I saw the following as an example of the proper way we're supposed to deal with this issue:
<?php
include(dirname($_SERVER['DOCUMENT_ROOT']) . DIRECTORY_SEPARATOR . 'file.php');
?>
Ok, the latter may be used to access a file inside the parent directory of the document root, but actually does not properly address the issue.
In the end, don't warry about. It should be safe to use forward slashes and append a trailing slash in all cases.
Let's say we have this:
<?php
$path = 'subdir/file.php';
$result = $_SERVER['DOCUMENT_ROOT'] . '/' . $path;
?>
On linux $result might be something like
1) "/var/www/subdir/file.php"
2) "/var/www//subdir/file.php"
String 2 is parsed the same as string 1 (have a try with command 'cd').
On windows $result might be something like
1) "C:/apache/htdocs/subdir/file.php"
2) "C:/apache/htdocs//subdir/file.php"
3) "C:\apache\htdocs/subdir/file.php"
4) "C:\apache\htdocs\/subdir/file.php"
All those strings are parsed as "C:\apache\htdocs\subdir\file.php" (have a try with 'cd').
silverquick at gmail dot com ¶
15 years ago
I think the HTTPS element will only be present under Apache 2.x. It's not in the list of "special" variables here:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteCond
But it is here:
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond
picov at e-link dot it ¶
12 years ago
A simple function to detect if the current page address was rewritten by mod_rewrite:
<?php
public function urlWasRewritten() {
$realScriptName=$_SERVER['SCRIPT_NAME'];
$virtualScriptName=reset(explode("?", $_SERVER['REQUEST_URI']));
return !($realScriptName==$virtualScriptName);
}
?>
cupy at email dot cz ¶
14 years ago
Tech note:
$_SERVER['argc'] and $_SERVER['argv'][] has some funny behaviour,
used from linux (bash) commandline, when called like
"php ./script_name.php 0x020B"
there is everything correct, but
"./script_name.php 0x020B"
is not correct - "0" is passed instead of "0x020B" as $_SERVER['argv'][1] - see the script below.
Looks like the parameter is not passed well from bash to PHP.
(but, inspected on the level of bash, 0x020B is understood well as $1)
try this example:
------------->8------------------
cat ./script_name.php
#! /usr/bin/php
if( $_SERVER['argc'] == 2)
{
// funny... we have to do this trick to pass e.g. 0x020B from parameters
// ignore this: "PHP Notice: Undefined offset: 2 in ..."
$EID = $_SERVER['argv'][1] + $_SERVER['argv'][2] + $_SERVER['argv'][3];
}
else
{ // default
$EID = 0x0210; // PPS failure
}
razvan_bc at yahoo dot com ¶
5 years ago
In 2018 things can be pretty cool !!!
look around:
<?php
//save it index.php in a root folder
/*
if($_SERVER["REQUEST_METHOD"]!='GET'){
echo('it`s a POST');
}else{
echo('it`s a GET');
}
*/
$_REQ =& $_SERVER["REQUEST_METHOD"];
($_REQ=='POST')and($what='it`s a POST');
($_REQ=='GET')and($what='it`s a GET');
isset($what) and print($what);
?>
<form method="POST" action="">
<input type="text" name="postbaby" value="sadasdsa">
<input type="submit" value="POST THAT">
</form>
<br>
<form method="GET" action="">
<input type="text" name="getbaby" value="sadasdsa">
<input type="submit" value="GET THAT">
</form>
<hr><?php
phpinfo();
?>
what if you have a class with controllers?
i hope will not be depreciated cause STATIC CALLS I TEST ALREADY ARE VERY FAST:
<?php
//save it index.php in a root folder
/*
if($_SERVER["REQUEST_METHOD"]!='GET'){
echo('it`s a POST');
}else{
echo('it`s a GET');
}
*/
class forms {
public static function type(){
return $_SERVER["REQUEST_METHOD"];
}
public static function post($f){
(self::type()=='POST')and $f();
}
public static function get($f){
(self::type()=='GET')and $f();
}
}
?>
<form method="POST" action="">
<input type="text" name="postbaby" value="sadasdsa">
<input type="submit" value="POST THAT">
</form>
<br>
<form method="GET" action="">
<input type="text" name="getbaby" value="sadasdsa">
<input type="submit" value="GET THAT">
</form>
<hr><?php
forms::post(function(){
$what='it`s a POST';echo($what);
});
forms::get(function(){
$what='it`s a GET';echo($what);
});
//phpinfo();
?>
jit_chavan at yahoo dot com ¶
10 years ago
searched $_SERVER["REDIRECT_URL"] for a while and noted that it is not mentioned in php documentation page itself. look like this is only generated by apache server(not others) and using $_SERVER["REQUEST_URI"] will be useful in some cases as mine.
Skylar ¶
5 years ago
A snippet to list the header values:
<?php
echo <<<END
<!DOCTYPE html>
<meta charset="UTF-8" />
<title>\$_SERVER</title>
<style>
table {
border-collapse: collapse;
}
td {
border: 1px solid #999;
padding: 3px;
}
</style>
<table>
END;
foreach ($_SERVER as $k => $v) {
$key = htmlentities($k);
$value = htmlentities($v);
echo "\n\t<tr>\n\t\t<td>$key\n\t\t<td>$value\n";
}
echo "</table>";
?>
2962051004 at qq dot com ¶
6 years ago
<?php
/*
Sometimes you will find that your website will not get the correct user IP after adding CDN, then this function will help you
*/
function real_ip()
{
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match_all('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches)) {
foreach ($matches[0] AS $xip) {
if (!preg_match('#^(10|172\.16|192\.168)\.#', $xip)) {
$ip = $xip;
break;
}
}
} elseif (isset($_SERVER['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_CF_CONNECTING_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CF_CONNECTING_IP'])) {
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
} elseif (isset($_SERVER['HTTP_X_REAL_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_X_REAL_IP'])) {
$ip = $_SERVER['HTTP_X_REAL_IP'];
}
return $ip;
}
echo real_ip();
?>
centurianii at yahoo dot co dot uk ¶
6 years ago
If you apply redirection in ALL your requests using commands at the Apache virtual host file like:
RewriteEngine On
RewriteCond "%{REQUEST_URI}" "!=/index.php"
RewriteRule "^/(.*)$" "index.php?$1" [NC,NE,L,QSA]
you should expect some deviations in your $_SERVER global.
Say, you send a url of: [hostname here]/a/b?x=1&y=2
which makes Apache to modify to: /index.php?/a/b?x=1&y=2
Now your $_SERVER global contains among others:
'REQUEST_URI' => '/a/b?x=1&y=2', it retains the initial url after the host
'QUERY_STRING' => 'a/b&x=1&y=2', notice how php replaces '?' with '&'
'SCRIPT_NAME' => '/index.php', as it was intended to be.
To test your $_SERVER global:
function serverArray(){
$arr = array();
foreach($_SERVER as $key=>$value)
$arr[] = ' \'' . $key . '\' => \'' . (isset($value)? $value : '-') . '\'';
return @\sort($arr)? '$_SERVER = array(<br />' . implode($arr, ',<br />') . '<br />);' : false;
}
echo serverArray();
lilJoshu ¶
5 years ago
Remember,
Although $_SERVER["REQUEST_METHOD"] is initially built with GET, POST, PUT, HEAD in mind, a server can allow more.
This may be important if you're building a RESTful interfaces that will also use methods such as PATCH and DELETE.
Also important as a security risk as a possible point of injection. In the event of building something acting based on REQUEST_METHOD, it's recommended to put it in a switch statement.
<?php
switch ($_SERVER["REQUEST_METHOD"]){
case "PUT":
foo_replace_data();
break;
case "POST":
foo_add_data();
break;
case "HEAD";
foo_set_that_cookie();
break;
case "GET":
default:
foo_fetch_stuff()
break;
}
?>
info at webforever dot es ¶
3 years ago
<?php
//Print all values on screen.
foreach($_SERVER as $x => $v) echo "$x : $v <br>";
?>
Johan Winge ¶
4 years ago
It should probably be noted that the value of $_SERVER['SERVER_PROTOCOL'] will never contain the substring "HTTPS". Assuming this is a common source of bugs and confusion. Instead, see $_SERVER['HTTPS'].
