PHP $ _ SERVER ['HTTP_HOST']对$ _ SERVER ['SERVER_NAME'],我在正确认识的手册页? [英] PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?
问题描述
我做了很多搜索和阅读也PHP的$ _ SERVER手册页。我必须对使用哪种方式我的PHP脚本在整个我的网站使用了简单的链接定义这个权利?
I did a lot of searching and also read the PHP $_SERVER man page. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site?
$ _ SERVER ['SERVER_NAME']
基于您的Web服务器的配置文件(的Apache2在我的情况),并取决于几个指令:(1)虚拟主机,(2)服务器名,(3)UseCanonicalName等
$_SERVER['SERVER_NAME']
is based on your web servers' config file (Apache2 in my case), and varies depending on a few directives: (1) VirtualHost, (2) ServerName, (3) UseCanonicalName, etc.
$ _ SERVER ['HTTP_HOST']
是基于客户端的请求。
$_SERVER['HTTP_HOST']
is based on the request from the client.
因此,它似乎对我来说,适当的一个,以便使用,使我的脚本尽可能地兼容将是 $ _ SERVER ['HTTP_HOST']
。这是假设是正确的?
Therefore, it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be $_SERVER['HTTP_HOST']
. Is this assumption correct?
后续评论:
我想我有点偏执阅读这篇文章,并指出,有些人说,他们不会相信任何的$ _ SERVER瓦尔的后:
I guess I got a little paranoid after reading this article and noting that some folks said "they wouldn't trust any of the $_SERVER vars":
-
<一个href=\"http://markjaquith.word$p$pss.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/\">http://markjaquith.word$p$pss.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/
<一个href=\"http://php.net/manual/en/reserved.variables.server.php#89567\">http://php.net/manual/en/reserved.variables.server.php#89567 (注释:弗拉基米尔Kornea 14月2009年1时06分)
http://php.net/manual/en/reserved.variables.server.php#89567 (comment: Vladimir Kornea 14-Mar-2009 01:06)
显然的讨论主要是关于 $ _ SERVER ['PHP_SELF']
为什么在表单action属性没有适当的逃逸到prevent你不应该使用它XSS攻击。
Apparently the discussion is mainly about $_SERVER['PHP_SELF']
and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks.
我对我的上述原来的问题的结论是,这是安全的用 $ _ SERVER ['HTTP_HOST']
有关网站的所有链接,而无需担心XSS攻击,表单中使用时也是如此。
My conclusion about my original question above is that it is "safe" to use $_SERVER['HTTP_HOST']
for all links on a site without having to worry about XSS attacks, even when used in forms.
如果我错了,请大家指正。
Please correct me if I'm wrong.
推荐答案
这可能是每个人的第一想法。但它是一个有点难度。请参见克里斯Shiflett的文章中的 SERVER_NAME
对战 HTTP_HOST
的。
That’s probably everyone’s first thought. But it’s a little bit more difficult. See Chris Shiflett’s article SERVER_NAME
Versus HTTP_HOST
.
似乎没有银弹。只有当你强制Apache在使用规范名称你总是会得到正确的服务器名称与 SERVER_NAME
。
It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME
.
让你无论是与去还是你检查主机名称对一个白名单:
So you either go with that or you check the host name against a white list:
$allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
exit;
}
这篇关于PHP $ _ SERVER ['HTTP_HOST']对$ _ SERVER ['SERVER_NAME'],我在正确认识的手册页?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!