How are $_SERVER variables sent from browser to server PHP

Question

I'm writing an app using php and have been looking into security issues. I'd like to know how the following code grabs browser information and how it is passed from the browser to the server:

$_SERVER['HTTP_USER_AGENT']
$_SERVER['REMOTE_ADDR']
gethostbyaddr($_SERVER['REMOTE_ADDR'])

Is this information encrypted when it's passed from the client PC to the server? Would it be easy for a hacker to steal this data?

Answer 1

Essentially the PHP script gets these variables from the web server. On the manual page, there is a list of the variable names, and their descriptions.

So to answer your question shortly, they are gotten from the Web Server you are using.

If someone was to try to fake an example, like $_SERVER['REMOTE_ADDR'], there is information on how it can be done here, though I've never looked into it.

Hope this helps in some way :)

Answer 2

$SERVER this super global var is passed from web server instead PHP, but some of them is reference by the HTTP request header, let say with prefix "HTTP" is generated by client (request header), and REMOTE_ADDR is the address on TCP level, not a arbitrary but also no guarantee.

• HTTP_USER_AGENT is in plain text at header, easy to modify
• REMOTE_ADDR technically is on TCP level IP address, require some equipment or specific software to fake Server.

Answer 3

Browser -> Apache -> PHP

Spoofing/Faking $_SERVER variables other than HTTP, is difficult as there are some handshakes between your Apache and Browser so if someone tries to spoof these variables he will not receive any response. For example if someone tries to spoof REMOTE_ADDR, it is probable that the request will not be completed.

On the other hand all the variables that start from HTTP_ are easy to spoof and they are sent to PHP just as received by Apache from the Browser. So for example user can write a Curl script with a custom User Agent (HTTP_USER_AGENT) and you will receive the response as it is.