$_SERVER
$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server, therefore there is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here. However, most of these variables are accounted for in the » CGI/1.1 specification, and are likely to be defined.
Note: When running PHP on the command line most of these entries will not be available or have any meaning.
In addition to the elements listed below, PHP will create additional elements with values from request headers. These entries will be named HTTP_ followed by the header name, capitalized and with underscores instead of hyphens. For example, the Accept-Language header would be available as $_SERVER[‘HTTP_ACCEPT_LANGUAGE’] .
Indices
‘ PHP_SELF ‘ The filename of the currently executing script, relative to the document root. For instance, $_SERVER[‘PHP_SELF’] in a script at the address http://example.com/foo/bar.php would be /foo/bar.php . The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name. ‘argv’ Array of arguments passed to the script. When the script is run on the command line, this gives C-style access to the command line parameters. When called via the GET method, this will contain the query string. ‘argc’ Contains the number of command line parameters passed to the script (if run on the command line). ‘ GATEWAY_INTERFACE ‘ What revision of the CGI specification the server is using; e.g. ‘CGI/1.1’ . ‘ SERVER_ADDR ‘ The IP address of the server under which the current script is executing. ‘ SERVER_NAME ‘ The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.
Note: Under Apache 2, UseCanonicalName = On and ServerName must be set. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts.
‘ SERVER_SOFTWARE ‘ Server identification string, given in the headers when responding to requests. ‘ SERVER_PROTOCOL ‘ Name and revision of the information protocol via which the page was requested; e.g. ‘HTTP/1.0’ ; ‘ REQUEST_METHOD ‘ Which request method was used to access the page; e.g. ‘GET’ , ‘HEAD’ , ‘POST’ , ‘PUT’ .
Note:
PHP script is terminated after sending headers (it means after producing any output without output buffering) if the request method was HEAD .
‘ REQUEST_TIME ‘ The timestamp of the start of the request. ‘ REQUEST_TIME_FLOAT ‘ The timestamp of the start of the request, with microsecond precision. ‘ QUERY_STRING ‘ The query string, if any, via which the page was accessed. ‘ DOCUMENT_ROOT ‘ The document root directory under which the current script is executing, as defined in the server’s configuration file. ‘ HTTPS ‘ Set to a non-empty value if the script was queried through the HTTPS protocol. ‘ REMOTE_ADDR ‘ The IP address from which the user is viewing the current page. ‘ REMOTE_HOST ‘ The Host name from which the user is viewing the current page. The reverse dns lookup is based on the REMOTE_ADDR of the user.
Note: The web server must be configured to create this variable. For example in Apache HostnameLookups On must be set inside httpd.conf for it to exist. See also gethostbyaddr() .
‘ REMOTE_PORT ‘ The port being used on the user’s machine to communicate with the web server. ‘ REMOTE_USER ‘ The authenticated user. ‘ REDIRECT_REMOTE_USER ‘ The authenticated user if the request is internally redirected. ‘ SCRIPT_FILENAME ‘
The absolute pathname of the currently executing script.
Note:
If a script is executed with the CLI, as a relative path, such as file.php or ../file.php , $_SERVER[‘SCRIPT_FILENAME’] will contain the relative path specified by the user.
‘ SERVER_ADMIN ‘ The value given to the SERVER_ADMIN (for Apache) directive in the web server configuration file. If the script is running on a virtual host, this will be the value defined for that virtual host. ‘ SERVER_PORT ‘ The port on the server machine being used by the web server for communication. For default setups, this will be ’80’ ; using SSL, for instance, will change this to whatever your defined secure HTTP port is.
Note: Under Apache 2, UseCanonicalName = On , as well as UseCanonicalPhysicalPort = On must be set in order to get the physical (real) port, otherwise, this value can be spoofed, and it may or may not return the physical port value. It is not safe to rely on this value in security-dependent contexts.
‘ SERVER_SIGNATURE ‘ String containing the server version and virtual host name which are added to server-generated pages, if enabled. ‘ PATH_TRANSLATED ‘ Filesystem- (not document root-) based path to the current script, after the server has done any virtual-to-real mapping.
Note: Apache 2 users may use AcceptPathInfo = On inside httpd.conf to define PATH_INFO .
‘ SCRIPT_NAME ‘ Contains the current script’s path. This is useful for pages which need to point to themselves. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. ‘ REQUEST_URI ‘ The URI which was given in order to access this page; for instance, ‘ /index.html ‘. ‘ PHP_AUTH_DIGEST ‘ When doing Digest HTTP authentication this variable is set to the ‘Authorization’ header sent by the client (which you should then use to make the appropriate validation). ‘ PHP_AUTH_USER ‘ When doing HTTP authentication this variable is set to the username provided by the user. ‘ PHP_AUTH_PW ‘ When doing HTTP authentication this variable is set to the password provided by the user. ‘ AUTH_TYPE ‘ When doing HTTP authentication this variable is set to the authentication type. ‘ PATH_INFO ‘ Contains any client-provided pathname information trailing the actual script filename but preceding the query string, if available. For instance, if the current script was accessed via the URI http://www.example.com/php/path_info.php/some/stuff?foo=bar , then $_SERVER[‘PATH_INFO’] would contain /some/stuff . ‘ ORIG_PATH_INFO ‘ Original version of ‘ PATH_INFO ‘ before processed by PHP.
Examples
Example #1 $_SERVER example
Consent to the use of Personal Data and Cookies
This website needs your consent to use cookies in order to customize ads and content.
If you give us your consent, data may be shared with Google.
Get The Full Requested URL in PHP
While there is no function to obtain the full request URL in PHP, we can still make our own using a combination of server variables to get what we need.
Oddly, the full request URL is not directly accessible from PHP, since there seem to be no variable or function to reveal it; but, you can just make your own function to obtain it — to do that, you will need to use a combination of $_SERVER variables:
To get the full requested URL you can use a combination of $_SERVER variables to «guess» the URL—a quick example of how to do this is included below:
$full_request_url = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http') . '://'. $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
If the short if statement above is too hard to read, you can also code it like this:
$full_request_url = ''; if ((!empty($_SERVER['HTTPS'])) && ($_SERVER['HTTPS'] !== 'off')) $full_request_url .= 'https://'; > else $full_request_url .= 'http://'; > $full_request_url .= $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
Note. You will not be able to return the part after the hash «#» character, also known as the fragment part of the URL, since it is not sent to the server as part of the request by the client. The hash is primarily used for client-side navigation on subsections, and corresponds to a unique ID in the HTML on a web page. So, if the fragment part is important, you will need to use JavaScript to obtain it.
Function to get full request url
The HTTPS variable will be set to a non-empty value if the request was performed over the HTTPS protocol, knowing this, you can then use the empty function to check that the variable was not empty.
Since ISS on Windows might set the variable to «off» when HTTPS is not used, you will also need to check that the variable was not set to «off«.
Normally HTTP requests on the web will go through port 80 (or 443 for HTTPS), so in most cases there is no need to include the port number; if for some reason you still need it, you can obtain it through the SERVER_PORT variable:
$full_request_url = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http') . '://'. $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI'];
You can easily create a function to return the full request URL whenever it is needed:
function full_request_url() return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http') . '://'. $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; >
If you are in an object orientated context, you may want to consider avoiding the use of super globals directly: Avoid Direct Use of PHP Superglobals
Sanitizing client-controlled variables
Some of the server variables are controlled by the client, and can be manipulated by malicious users. However, this should not matter—for the most part—unless you use it in a sensitive place, such as in a database, or even just to generate absolute paths for links on your page!. Please do not use absolute paths—it is much easier to maintain your site with root-relative URLs, and you will avoid the issue of cache poisoning of your links. See also: Absolute and Relative Paths
For example, if the REQUEST_URI contains invalid characters, it probably results in a 404 error response being sent to the user/client. Only if you insert/use the data in a sensitive place should validation be necessary.
Likewise, the HTTP_HOST variable may be manipulated, but doing so will probably just result in your web server returning the wrong website (if you use virtual hosting). However, you should still be careful, because some servers will simply serve a «default» virtual host, and it might fall back to your PHP application!
While it does not usually cause any problems if someone manipulates the host variable, it might still be a problem due to cache poisoning attacks. If a cache server is storing copies of your HTML pages, and an attacker somehow manages to inject a different host into your links, the attacker could successfully redirect all- or parts of your traffic to their own malicious website.
As a result of the complexity involved, it is probably best if developers always validate these variables. You can not expect that others who might be working on the code has the same overview of the application as yourself.
To validate the HTTP_HOST variable in your PHP application, you should maintain an array of known hosts, and simply use the value from the array rather than from the HTTP_HOST directly. This is a small inconvenience for achieving a bit of extra security.
Validating the REQUEST_URI is a bit more complex, and will also depend on your site’s structure. You may opt to use a regular expression and then only allow certain valid patterns.