Reputation: 53
$_SERVER["REQUEST_URI"] is it secure?
i have a question about these function: $_SERVER["REQUEST_URI"]. Can somebody tell me if it's safe to use like i use it ( these form i use for new topic in forum )?
<form name="vpid" action="<?php echo htmlspecialchars($_SERVER["REQUEST_URI"]);?>" method="post">
Thank you
Upvotes: 3
Views: 4498
Answers (2)
Reputation: 1317
Already an old question, but no, you cannot trust $_SERVER['REQUEST_URI'] because, it will only be available on an apache server.
Here is how Drupal handles it on the 7.x version
function request_uri() {
if (isset($_SERVER['REQUEST_URI'])) {
$uri = $_SERVER['REQUEST_URI'];
}
else {
if (isset($_SERVER['argv'])) {
$uri = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['argv'][0];
}
elseif (isset($_SERVER['QUERY_STRING'])) {
$uri = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
}
else {
$uri = $_SERVER['SCRIPT_NAME'];
}
}
// Prevent multiple slashes to avoid cross site requests via the Form API.
$uri = '/' . ltrim($uri, '/');
return $uri;
}
And the WordPress version from v3.0.0 up to now. Its purpose is to fill in the blanks and normalize the $_SERVER variables.
function wp_fix_server_vars() {
global $PHP_SELF;
$default_server_values = array(
'SERVER_SOFTWARE' => '',
'REQUEST_URI' => '',
);
$_SERVER = array_merge( $default_server_values, $_SERVER );
// Fix for IIS when running with PHP ISAPI.
if ( empty( $_SERVER['REQUEST_URI'] ) || ( 'cgi-fcgi' !== PHP_SAPI && preg_match( '/^Microsoft-IIS\//', $_SERVER['SERVER_SOFTWARE'] ) ) ) {
if ( isset( $_SERVER['HTTP_X_ORIGINAL_URL'] ) ) {
// IIS Mod-Rewrite.
$_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_ORIGINAL_URL'];
} elseif ( isset( $_SERVER['HTTP_X_REWRITE_URL'] ) ) {
// IIS Isapi_Rewrite.
$_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_REWRITE_URL'];
} else {
// Use ORIG_PATH_INFO if there is no PATH_INFO.
if ( ! isset( $_SERVER['PATH_INFO'] ) && isset( $_SERVER['ORIG_PATH_INFO'] ) ) {
$_SERVER['PATH_INFO'] = $_SERVER['ORIG_PATH_INFO'];
}
// Some IIS + PHP configurations put the script-name in the path-info (no need to append it twice).
if ( isset( $_SERVER['PATH_INFO'] ) ) {
if ( $_SERVER['PATH_INFO'] == $_SERVER['SCRIPT_NAME'] ) {
$_SERVER['REQUEST_URI'] = $_SERVER['PATH_INFO'];
} else {
$_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . $_SERVER['PATH_INFO'];
}
}
// Append the query string if it exists and isn't null.
if ( ! empty( $_SERVER['QUERY_STRING'] ) ) {
$_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
}
}
}
// Fix for PHP as CGI hosts that set SCRIPT_FILENAME to something ending in php.cgi for all requests.
if ( isset( $_SERVER['SCRIPT_FILENAME'] ) && ( strpos( $_SERVER['SCRIPT_FILENAME'], 'php.cgi' ) == strlen( $_SERVER['SCRIPT_FILENAME'] ) - 7 ) ) {
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}
// Fix for Dreamhost and other PHP as CGI hosts.
if ( strpos( $_SERVER['SCRIPT_NAME'], 'php.cgi' ) !== false ) {
unset( $_SERVER['PATH_INFO'] );
}
// Fix empty PHP_SELF.
$PHP_SELF = $_SERVER['PHP_SELF'];
if ( empty( $PHP_SELF ) ) {
$_SERVER['PHP_SELF'] = preg_replace( '/(\?.*)?$/', '', $_SERVER['REQUEST_URI'] );
$PHP_SELF = $_SERVER['PHP_SELF'];
}
}
Symfony HttpFoundation method is a little bit more complex.
Upvotes: 2
Reputation: 168655
The first thing I'd say is that you probably don't need REQUEST_URI in this in this context.
If you want a form to post back to the current page, the action attribute can be set to blank string or a dot; you don't need to specify the whole current URL.
In cases where you do need it, the answer is that yes, REQUEST_URI is safe.
A lot of values in $_SERVER are not safe, so it's good to be cautious, but REQUEST_URI is safe because it represents the address that was used to get to the site; if the address is invalid, then the user wouldn't have been able to get to the server in the first place.
Other $_SERVER fields can be hacked; it's trivial to spoof things like REMOTE_HOST and HTTP_REFERER, so you should never rely on them to be reliable, but REQUEST_URI ought to be safe.
The main thing here though is that you shouldn't really need it anyway.
Upvotes: 3
Related Questions
- Does PHP's $_REQUEST method have a security problem?
- Security risk from using $_SERVER['REQUEST_URI'] in forms
- Secure $_GET & mysql usage?
- Which $_SERVER variables are safe?
- any security concerns with $_SERVER['REQUEST_URI'] and header('location: ...');
- php security should I hide query string in url
- $_SERVER['REQUEST_URI'] reliability?
- How to use $_GET securely?
- How to secure $_REQUEST?
- PHP URL Security Question