PHP $_SERVER['HTTP_HOST'] 与 $_SERVER['SERVER_NAME'],我是否正确理解手册页? [英] PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?
问题描述
我进行了大量搜索并阅读了 PHP $_SERVER 文档.我是否有权决定在我的 PHP 脚本中使用哪些用于整个站点中使用的简单链接定义?
I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site?
$_SERVER['SERVER_NAME']
基于您的 Web 服务器的配置文件(在我的例子中是 Apache2),并且取决于一些指令:(1) VirtualHost,(2) ServerName,(3) UseCanonicalName等
$_SERVER['SERVER_NAME']
is based on your web server's config file (Apache2 in my case), and varies depending on a few directives: (1) VirtualHost, (2) ServerName, (3) UseCanonicalName, etc.
$_SERVER['HTTP_HOST']
基于客户端的请求.
因此,在我看来,为了使我的脚本尽可能兼容,最好使用 $_SERVER['HTTP_HOST']
.这个假设正确吗?
Therefore, it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be $_SERVER['HTTP_HOST']
. Is this assumption correct?
后续评论:
我想我在阅读这篇文章后有点偏执,并注意到有些人说他们不会相信任何 $_SERVER
变量":
I guess I got a little paranoid after reading this article and noting that some folks said "they wouldn't trust any of the $_SERVER
vars":
http://php.net/manual/en/reserved.variables.server.php#89567(评论:Vladimir Kornea 14-Mar-2009 01:06)
http://php.net/manual/en/reserved.variables.server.php#89567 (comment: Vladimir Kornea 14-Mar-2009 01:06)
显然讨论主要是关于 $_SERVER['PHP_SELF']
以及为什么你不应该在没有适当转义的情况下在表单 action 属性中使用它以防止 XSS 攻击.
Apparently the discussion is mainly about $_SERVER['PHP_SELF']
and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks.
我对上述原始问题的结论是,对站点上的所有链接使用 $_SERVER['HTTP_HOST']
是安全的",而不必担心 XSS 攻击,即使使用时也是如此以表格形式.
My conclusion about my original question above is that it is "safe" to use $_SERVER['HTTP_HOST']
for all links on a site without having to worry about XSS attacks, even when used in forms.
如果我错了,请纠正我.
Please correct me if I'm wrong.
推荐答案
这可能是每个人的第一个想法.但这有点困难.参见 Chris Shiflett 的文章SERVER_NAME
与 HTTP_HOST
对比.
That’s probably everyone’s first thought. But it’s a little bit more difficult. See Chris Shiflett’s article SERVER_NAME
Versus HTTP_HOST
.
似乎没有灵丹妙药.只有当您强制 Apache 使用规范名称时,您才会始终使用 SERVER_NAME
获取正确的服务器名称.
It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME
.
所以你要么选择这个,要么对照白名单检查主机名:
So you either go with that or you check the host name against a white list:
$allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
exit;
}
这篇关于PHP $_SERVER['HTTP_HOST'] 与 $_SERVER['SERVER_NAME'],我是否正确理解手册页?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!