PHP $ _ SERVER ['HTTP_HOST']对$ _ SERVER ['SERVER_NAME'],我在正确认识的手册页? [英] PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?

查看:276
本文介绍了PHP $ _ SERVER ['HTTP_HOST']对$ _ SERVER ['SERVER_NAME'],我在正确认识的手册页?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我做了很多搜索和阅读也PHP的$ _ SERVER手册页。我必须对使用哪种方式我的PHP脚本在整个我的网站使用了简单的链接定义这个权利?

I did a lot of searching and also read the PHP $_SERVER man page. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site?

$ _ SERVER ['SERVER_NAME'] 基于您的Web服务器的配置文件(的Apache2在我的情况),并取决于几个指令:(1)虚拟主机,(2)服务器名,(3)UseCanonicalName等

$_SERVER['SERVER_NAME'] is based on your web servers' config file (Apache2 in my case), and varies depending on a few directives: (1) VirtualHost, (2) ServerName, (3) UseCanonicalName, etc.

$ _ SERVER ['HTTP_HOST'] 是基于客户端的请求。

$_SERVER['HTTP_HOST'] is based on the request from the client.

因此​​,它似乎对我来说,适当的一个,以便使用,使我的脚本尽可能地兼容将是 $ _ SERVER ['HTTP_HOST'] 。这是假设是正确的?

Therefore, it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be $_SERVER['HTTP_HOST']. Is this assumption correct?

后续评论:

我想我有点偏执阅读这篇文章,并指出,有些人说,他们不会相信任何的$ _ SERVER瓦尔的后:

I guess I got a little paranoid after reading this article and noting that some folks said "they wouldn't trust any of the $_SERVER vars":


  • <一个href=\"http://markjaquith.word$p$pss.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/\">http://markjaquith.word$p$pss.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/

<一个href=\"http://php.net/manual/en/reserved.variables.server.php#89567\">http://php.net/manual/en/reserved.variables.server.php#89567 (注释:弗拉基米尔Kornea 14月2009年1时06分)

http://php.net/manual/en/reserved.variables.server.php#89567 (comment: Vladimir Kornea 14-Mar-2009 01:06)

显然的讨论主要是关于 $ _ SERVER ['PHP_SELF'] 为什么在表单action属性没有适当的逃逸到prevent你不应该使用它XSS攻击。

Apparently the discussion is mainly about $_SERVER['PHP_SELF'] and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks.

我对我的上述原来的问题的结论是,这是安全的用 $ _ SERVER ['HTTP_HOST'] 有关网站的所有链接,而无需担心XSS攻击,表单中使用时也是如此。

My conclusion about my original question above is that it is "safe" to use $_SERVER['HTTP_HOST'] for all links on a site without having to worry about XSS attacks, even when used in forms.

如果我错了,请大家指正。

Please correct me if I'm wrong.

推荐答案

这可能是每个人的第一想法。但它是一个有点难度。请参见克里斯Shiflett的文章中的 SERVER_NAME 对战 HTTP_HOST

That’s probably everyone’s first thought. But it’s a little bit more difficult. See Chris Shiflett’s article SERVER_NAME Versus HTTP_HOST.

似乎没有银弹。只有当你强制Apache在使用规范名称你总是会得到正确的服务器名称与 SERVER_NAME

It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME.

让你无论是与去还是你检查主机名称对一个白名单:

So you either go with that or you check the host name against a white list:

$allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
    header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
    exit;
}

这篇关于PHP $ _ SERVER ['HTTP_HOST']对$ _ SERVER ['SERVER_NAME'],我在正确认识的手册页?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆