PHP 手册
后退附录 J. 保留字列表前进


预定义变量

自 PHP 4.1.0 起,取得外部变量的首选方法是用下面提及的超全局变量。在此之前,人们要么依赖 register_globals,要么就是长长的预定义 PHP 数组($HTTP_*_VARS)。自 PHP 5.0.0 起,长格式的 PHP 预定义变量可以通过设置 register_long_arrays 来屏蔽。

服务器变量:$_SERVER

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_SERVER_VARS

$_SERVER 是一个包含诸如头信息(header)、路径(path)和脚本位置(script locations)的数组。数组的实体由 web 服务器创建。不能保证所有的服务器都能产生所有的信息;服务器可能忽略了一些信息,或者产生了一些未在下面列出的新的信息。这意味着,大量的这些变量在 CGI 1.1 规范中说明,所以应该仔细研究一下。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_SERVER; 访问它,就如同使用 $HTTP_SERVER_VARS 一样。

$HTTP_SERVER_VARS 包含着同样的信息,但是不是一个自动全局变量(注意:$HTTP_SERVER_VARS$_SERVER 是不同的变量,PHP 处理它们的方式不同)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_SERVER$HTTP_SERVER_VARS 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

或许会发现下面列出的某些 $_SERVER 元素并不可用。注意,如果以命令行方式运行 PHP,下面列出的元素几乎没有有效的(或是没有任何实际意义的)。

PHP_SELF

当前正在执行脚本的文件名,与 document root 相关。举例来说,在 URL 地址为 http://example.com/test.php/foo.bar 的脚本中使用 $_SERVER['PHP_SELF'] 将会得到 /test.php/foo.bar 这个结果。__FILE__ 常量包含当前(例如包含)文件的绝对路径和文件名。

如果 PHP 以命令行方式运行,该变量在 PHP 4.3.0 之前无效。

argv

传递给该脚本的参数。当脚本运行在命令行方式时,argv 变量传递给程序 C 语言样式的命令行参数。当调用 GET 方法时,该变量包含请求的数据。

argc

包含传递给程序的命令行参数的个数(如果运行在命令行模式)。

GATEWAY_INTERFACE

服务器使用的 CGI 规范的版本。例如,“CGI/1.1”。

SERVER_NAME

当前运行脚本所在服务器主机的名称。如果该脚本运行在一个虚拟主机上,该名称是由那个虚拟主机所设置的值决定。

SERVER_SOFTWARE

服务器标识的字串,在响应请求时的头信息中给出。

SERVER_PROTOCOL

请求页面时通信协议的名称和版本。例如,“HTTP/1.0”。

REQUEST_METHOD

访问页面时的请求方法。例如:“GET”、“HEAD”,“POST”,“PUT”。

注: 如果请求的方式是 HEAD,PHP 脚本将在送出头信息后中止(这意味着在产生任何输出后,不再有输出缓冲)。

REQUEST_TIME

请求开始时的时间戳。从 PHP 5.1.0 起有效。

QUERY_STRING

查询(query)的字符串(URL 中第一个问号 ? 之后的内容)。

DOCUMENT_ROOT

当前运行脚本所在的文档根目录。在服务器配置文件中定义。

HTTP_ACCEPT

当前请求的 Accept: 头信息的内容。

HTTP_ACCEPT_CHARSET

当前请求的 Accept-Charset: 头信息的内容。例如:“iso-8859-1,*,utf-8”。

HTTP_ACCEPT_ENCODING

当前请求的 Accept-Encoding: 头信息的内容。例如:“gzip”。

HTTP_ACCEPT_LANGUAGE

当前请求的 Accept-Language: 头信息的内容。例如:“en”。

HTTP_CONNECTION

当前请求的 Connection: 头信息的内容。例如:“Keep-Alive”。

HTTP_HOST

当前请求的 Host: 头信息的内容。

HTTP_REFERER

链接到当前页面的前一页面的 URL 地址。不是所有的用户代理(浏览器)都会设置这个变量,而且有的还可以手工修改 HTTP_REFERER。因此,这个变量不总是真实正确的。

HTTP_USER_AGENT

当前请求的 User-Agent: 头信息的内容。该字符串表明了访问该页面的用户代理的信息。一个典型的例子是:Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586)。也可以使用 get_browser() 得到此信息。

HTTPS

如果脚本是通过 HTTPS 协议被访问,则被设为一个非空的值。

REMOTE_ADDR

正在浏览当前页面用户的 IP 地址。

REMOTE_HOST

正在浏览当前页面用户的主机名。反向域名解析基于该用户的 REMOTE_ADDR

注: 必须配置 Web 服务器来建立此变量。例如 Apache 需要在 httpd.conf 中有 HostnameLookups On。参见 gethostbyaddr()

REMOTE_PORT

用户连接到服务器时所使用的端口。

SCRIPT_FILENAME

当前执行脚本的绝对路径名。

注: 如果脚本在 CLI 中被执行,作为相对路径,例如 file.php../file.php$_SERVER['SCRIPT_FILENAME'] 将包含用户指定的相对路径。

SERVER_ADMIN

该值指明了 Apache 服务器配置文件中的 SERVER_ADMIN 参数。如果脚本运行在一个虚拟主机上,则该值是那个虚拟主机的值。

SERVER_PORT

服务器所使用的端口。默认为“80”。如果使用 SSL 安全连接,则这个值为用户设置的 HTTP 端口。

SERVER_SIGNATURE

包含服务器版本和虚拟主机名的字符串。

PATH_TRANSLATED

当前脚本所在文件系统(不是文档根目录)的基本路径。这是在服务器进行虚拟到真实路径的映像后的结果。

注: PHP 4.3.2 之后,PATH_TRANSLATED 在 Apache 2 SAPI 模式下不再和 Apache 1 一样隐含赋值,而是若 Apache 不生成此值,PHP 便自己生成并将其值放入 SCRIPT_FILENAME 服务器常量中。这个修改遵守了 CGI 规范,PATH_TRANSLATED 仅在 PATH_INFO 被定义的条件下才存在。

Apache 2 用户可以使用 httpd.conf 中的 AcceptPathInfo On 来定义 PATH_INFO

SCRIPT_NAME

包含当前脚本的路径。这在页面需要指向自己时非常有用。__FILE__ 包含当前文件的绝对路径和文件名(例如包含文件)。

REQUEST_URI

访问此页面所需的 URI。例如,“/index.html”。

PHP_AUTH_DIGEST

当作为 Apache 模块运行时,进行 HTTP Digest 认证的过程中,此变量被设置成客户端发送的“Authorization”HTTP 头内容(以便作进一步的认证操作)。

PHP_AUTH_USER

当 PHP 运行在 Apache 或 IIS(PHP 5 是 ISAPI)模块方式下,并且正在使用 HTTP 认证功能,这个变量便是用户输入的用户名。

PHP_AUTH_PW

当 PHP 运行在 Apache 或 IIS(PHP 5 是 ISAPI)模块方式下,并且正在使用 HTTP 认证功能,这个变量便是用户输入的密码。

AUTH_TYPE

当 PHP 运行在 Apache 模块方式下,并且正在使用 HTTP 认证功能,这个变量便是认证的类型。

环境变量:$_ENV

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_ENV_VARS

在解析器运行时,这些变量从环境变量转变为 PHP 全局变量名称空间(namespace)。它们中的许多都是由 PHP 所运行的系统决定。完整的列表是不可能的。请查看系统的文档以确定其特定的环境变量。

其它环境变量(包括 CGI 变量),无论 PHP 是以服务器模块或是以 CGI 处理方式运行,都在这里列出了。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_ENV; 来访问它,就如同使用 $HTTP_ENV_VARS 一样。

$HTTP_ENV_VARS 包含着同样的信息,但是不是一个自动全局变量(注意:$HTTP_ENV_VARS$_ENV 是不同的变量,PHP 处理它们的方式不同)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_ENV$HTTP_ENV_VARS 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

HTTP Cookies:$_COOKIE

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_COOKIE_VARS

通过 HTTP cookies 传递的变量组成的数组。是自动全局变量。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_COOKIE; 来访问它,就如同使用 $HTTP_COOKIE_VARS 一样。

$HTTP_COOKIE_VARS 包含着同样的信息,但是不是一个自动全局变量(注意:$HTTP_COOKIE_VARS$_COOKIE 是不同的变量,PHP 处理它们的方式不同)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_COOKIE$HTTP_COOKIE_VARS 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

HTTP GET 变量:$_GET

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_GET_VARS

通过 HTTP GET 方法传递的变量组成的数组。是自动全局变量。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_GET; 来访问它,就如同使用 $HTTP_GET_VARS 一样。

$HTTP_GET_VARS 包含着同样的信息,但是不是一个自动全局变量(注意:$HTTP_GET_VARS$_GET 是不同的变量,PHP 处理它们的方式不同)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_GET$HTTP_GET_VARS 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

HTTP POST 变量:$_POST

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_POST_VARS

通过 HTTP POST 方法传递的变量组成的数组。是自动全局变量。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_POST; 来访问它,就如同使用 $HTTP_POST_VARS 一样。

$HTTP_POST_VARS 包含着同样的信息,但是不是一个自动全局变量(注意:$HTTP_POST_VARS$_POST 是不同的变量,PHP 处理它们的方式不同)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_POST$HTTP_POST_VARS 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

HTTP 文件上传变量:$_FILES

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_POST_FILES

通过 HTTP POST 方法传递的已上传文件项目组成的数组。是自动全局变量。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_FILES; 来访问它,就如同使用 $HTTP_POST_FILES 一样。

$HTTP_POST_FILES 包含着同样的信息,但是不是一个自动全局变量(请注意 PHP 是把 $HTTP_POST_FILES$_FILES 这两个变量当作不同的变量来处理的)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_FILES$HTTP_POST_FILES 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

Request 变量:$_REQUEST

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,没有等价的数组。

注: 在 PHP 4.3.0 之前,$_FILES 也被包括在 $_REQUEST 数组中。

此关联数组包含 $_GET$_POST$_COOKIE 中的全部内容。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味着它在所有的脚本中都有效。在函数或方法中不需要使用 global $_REQUEST; 来访问它。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_REQUEST 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

Session 变量:$_SESSION

注: 在 PHP 4.1.0 及以后版本使用。之前的版本,使用 $HTTP_SESSION_VARS

包含当前脚本中 session 变量的数组。参阅 Session 函数文档以获得更多信息。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $_SESSION; 来访问它,就如同使用 $HTTP_SESSION_VARS 一样。

$HTTP_SESSION_VARS 包含着同样的信息,但是不是一个自动全局变量(请注意 PHP 是把 $HTTP_SESSION_VARS$_SESSION 这两个变量当作不同的变量来处理的)。

如果设置了 register_globals 指令,这些变量也在所有脚本中可用;也就是,分离了 $_SESSION$HTTP_SESSION_VARS 数组。相关信息,请参阅安全的相关章节使用 Register Globals。这些单独的全局变量不是自动全局变量。

Global 变量:$GLOBALS

注: $GLOBALS 在 PHP 3.0.0 及以后版本中适用。

由所有已定义全局变量组成的数组。变量名就是该数组的索引。

这是一个“superglobal”,或者可以描述为自动全局变量。这只不过意味这它在所有的脚本中都有效。在函数或方法中不需要使用 global $GLOBALS; 来访问它。

前一个错误消息:$php_errormsg

$php_errormsg 是包含 PHP 产生的上一错误消息内容的变量。该变量在发生错误并且 track_errors 选项打开(默认为关闭)后才有效。


add a note add a note User Contributed Notes
Uili - e-info(at)tunenami.com
25-Oct-2006 06:34
Andy Staudacher may have addressed this in his bug fix but just for clarifacation when reading a cookie $_COOKIE reads only the most accurate domain including sub domain. If you have cookies for .bar.com and foo.bar.com and the user is at foo.bar.com $_COOKIE only returns the cookie data from foo.bar.com but if the user is at www.bar.com the data from .bar.com will be read if there is no cookie for www.bar.com.
dlyaza aT yahoo DOT com
23-Oct-2006 03:33
Get Real IP Address; If some one Know More than below, let us to see

if (getenv('HTTP_CLIENT_IP')) {
$IP = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR')) {
$IP = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED')) {
$IP = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR')) {
$IP = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED')) {
$IP = getenv('HTTP_FORWARDED');
}
else {
$IP = $_SERVER['REMOTE_ADDR'];
}
chris dot chaudruc at gmail dot com
21-Oct-2006 04:09
To force the loading of a page using https:// instead of http:// - maybe for a shopping cart checkout page - you can use the following snippet of code at the very top of your page:

if(!$_SERVER['HTTPS']){header("Location: https://www.yoursite.com/page_that_must_be_secure.php"); }
seanhickey at gmail dot com
20-Sep-2006 05:46
Note that class objects will not be in the $GLOBALS array until *after* the classe's constructor returns.

<?php
class A
{
   public function __construct()
   {
       var_dump($GLOBALS);
   }
}

$a = new A;
var_dump($GLOBALS);
?>

The first var_dump() inside the __construct() method will not contain the value of $a, while the second one will.
Alexander Hars
19-Sep-2006 05:16
If you want to use a form with multiple checkboxes (e.g. one per row) and assign the same name to each checkbox then the name needs to end with []. This tells PHP to put all checked values into an array variable.
For example:
<input type="checkbox" name="id[]" value="value_1">
<input type="checkbox" name="id[]" value="value_2">
..
<input type="checkbox" name="id[]" value="value_x">

You can now retrieve all values by using:
   $values = $_POST['id'];

If the name does not end with [], then only a single value will be available via the $_POST variable even if the user checks several checkboxes.
kancsal dot zoltan at proaction dot hu
13-Sep-2006 10:40
Note that PHP_SELF is incorrect if you use script as directory name. Here is a workaround I used:

if(gentenv('PATH_INFO')){
   $HTMLBASE=getenv("SERVER_NAME");
   $d=explode("/",$_SERVER["PHP_SELF"]);
   for($i=1;$i<count($d)-1;$i++){if(substr($d[$i],-4)==".php") break;$HTMLBASE.="/".$d[$i];}
   $_SERVER["PHP_SELF"]="http://".$HTMLBASE."/".$d[$i];
   $PHP_SELF=$_SERVER["PHP_SELF"];
}

This will set a correct value to PHP_SELF if you use .php extensions.
trevor
09-Aug-2006 01:49
I needed to do the exact same thing as jwl007 (sort by clicking links) but I needed it to append the variable to the query string if it didn't already exist. Here's the function I'm using:

<?php
function setGetVar($var, $val){
   $request_uri = $_SERVER["REQUEST_URI"];
   if(strstr($request_uri, $var)) {
       return preg_replace("/$var=[\\d\\w]*/", "$var=$val", $request_uri);
   } elseif(strstr($request_uri, "?")) {
       return $request_uri . "&" . $var . "=" . $val;
   } else {
       return $request_uri . "?" . $var . "=" . $val;
   }
}
?>

<a href="<?php echo setGetVar("orderby", "lname"); ?>">Sort by Last Name</a>
<a href="<?php echo setGetVar("orderby", "fname"); ?>">Sort by First Name</a>
Jake
05-Aug-2006 12:30
I have a question about the $_SERVER variable.

I want to make my error pages show up what request forced an error.

i.e. if the user types http://www.myserver.com/nonexistingdir/

the error handler should retrieve that the user tried to access http://www.myserver.com/nonexistingdir/

which is not available.

Using the variables brings:
$_SERVER["REQUEST_URI"] -> http://www.myserver.com/ErrorHandler/404.php
$_SERVER["HTTP_REFERER"] -> http://www.myserver.com/ErrorHandler/404.php
$_SERVER["REDIRECT_URL"] -> http://www.myserver.com

but I need http://www.myserver.com/nonexistingdir/ as output (which means exactly that what the user used to trigger the 404 error)

Anyone an idea how to solve this?
jmurphy at hsdirect dot co dot uk
26-Jul-2006 10:17
As above the $_SERVER['request_uri']

is replaced in windows iis with

$_SERVER['script_name']
jwl007
11-May-2006 03:36
Here's a quick function for replacing values within a query string. I use this quite a bit for ordering a list obtained from a database.

e.g.
If I want a link to order the list by firstname, I would use:
<a href=".replaceQueryString('orderby',$firstname).">first</a>.
If I want a link to order by last name, I would use:
<a href=".replaceQueryString('orderby',$lastname).">last</a>.

//$var = global query variable
//$val = new value for global query variable
function replaceQueryString($var,$val){
     global $HTTP_SERVER_VARS;
     $query_string = $HTTP_SERVER_VARS["QUERY_STRING"];
     return preg_replace("/$var=[\\d\\w]*/","$var=$val",$query_string);   
}

Hope this helps someone..
jameslporter at gmail dot com
06-May-2006 03:19
Refer to CanonicalName if you are not getting the ServerName in the $_SERVER[SERVER_NAME] variable....This was a pain to figure out for me...now it works as expected by turning canonical naming on.

http://www.apacheref.com/ref/http_core/UseCanonicalName.html
tchamp
26-Apr-2006 10:24
Be careful with HTTP_HOST behind a proxy server.  Use these instead.
[HTTP_X_FORWARDED_FOR]
[HTTP_X_FORWARDED_HOST]
[HTTP_X_FORWARDED_SERVER]

In my situation, I used [HTTP_X_FORWARDED_SERVER] in place of [HTTP_HOST] in order get the machine and hostname (www.myurl.com)
Ben XO
14-Apr-2006 09:18
So you have an application in your web space, with a URL such as this:

http://<host>/<installation_path>/

and pages such as

http://<host>/<installation_path>/subfolder1/subfolder2/page.php

You have a file called config.php in <installation_path> which is include()d by all pages (in subfolders or not).

How to work out <installation_path> without hard-coding it into a config file?

<?php

// this is config.php, and it is in <installation_path>
// it is included by <installation_path>/page.php
// it is included by <installation_path>/subfolder/page2.php
// etc

$_REAL_SCRIPT_DIR = realpath(dirname($_SERVER['SCRIPT_FILENAME'])); // filesystem path of this page's directory (page.php)
$_REAL_BASE_DIR = realpath(dirname(__FILE__)); // filesystem path of this file's directory (config.php)
$_MY_PATH_PART = substr( $_REAL_SCRIPT_DIR, strlen($_REAL_BASE_DIR)); // just the subfolder part between <installation_path> and the page

$INSTALLATION_PATH = $_MY_PATH_PART
   ? substr( dirname($_SERVER['SCRIPT_NAME']), 0, -strlen($_MY_PATH_PART) )
   : dirname($_SERVER['SCRIPT_NAME'])
; // we subtract the subfolder part from the end of <installation_path>, leaving us with just <installation_path> :)

?>
todd dot kisov at yahoo dot com
03-Apr-2006 05:11
To convert query string parameter values ($_GET, $_REQUEST), which include escaped Unicode values resulting from applying the JavaScript "escape" function to a Unicode string (%uNNNN%uNNNN%uNNNN) fast and simple is to use PECL JSON extension:

function JavaScript_Unicode_URL_2_Str($js_uni_str) {
       $res = preg_replace('/%u([[:alnum:]]{4})/', '\\u\1', $js_uni_str);
       $res = str_replace('"', '\"', $res); // if in str "
       $res = json_decode('["'.$res.'"]'); // JavaScrip array with string element
       $res = $res[0];
       $res = iconv('UTF-8', ini_get('default_charset'), $res);
       return $res;
   }
01-Apr-2006 01:56
I was unable to convince my hosting company to change their installation of PHP and therefore had to find my own way to computer $_SERVER["DOCUMENT_ROOT"].  I eventually settled on the following, which is a combination of earlier notes (with some typos corrected):

<?php
if ( ! isset($_SERVER['DOCUMENT_ROOT'] ) )
  $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(
   $_SERVER['SCRIPT_FILENAME'], 0, 0-strlen($_SERVER['PHP_SELF']) ) );
?>
mjs at beebo dot org
30-Mar-2006 05:24
Note that PHP_SELF will not be equal to REQUEST_URI under Apache if mod_rewrite has been used to move one URL to another--PHP_SELF will contain the rewritten address, and REQUEST_URI will contain the URL the user sees in their browser.
kumazatheef
18-Mar-2006 02:53
Just to clarify the " Prior to PHP 4.3.0, $_FILES information was also included in $_REQUEST." item ...

despite the fact that a file upload form item looks & kinda acts like a text item, does not mean the value will be placed in $_REQUEST ... so, you can type in the path into the text item (except Safari and a few others), but the name/value is only in $_FILES ... no trace of it is in $_REQUEST ...

Makes sense and yet not quite at the same time.
adam3000 at gmail dot com
16-Mar-2006 02:30
I was trying to find an alternative to $_SERVER['REQUEST_URI'] for a Windows NT set up and the ones below didn't really work for me so here's my solution using eustf at hotmail dot com's suggestion of $_SERVER['PHP_SELF']:

// if 'REQUEST_URI' isn't available then ...
if(!isset($_SERVER['REQUEST_URI'])) {
  
   // ... set my own request url and ...
   $temp_request_url = $_SERVER['PHP_SELF'];
  
   // ... test for and add url variables to my request url ...
   if (isset($HTTP_SERVER_VARS['QUERY_STRING'])) {
       $temp_request_url .= (strpos($updateGoTo, '?')) ? "&" : "?";
       $temp_request_url .= $HTTP_SERVER_VARS['QUERY_STRING'];
       }

} else {
   // ... otherwise use the regular 'REQUEST_URI'
   $temp_request_url = $_SERVER['REQUEST_URI'];
}
Aardvark
08-Mar-2006 05:35
$_GET may not handle query string parameter values which include escaped Unicode values resulting from applying the JavaScript "escape" function to a Unicode string.
To handle this the query parameter value can be obtained  using a function such as:

function getQueryParameter ($strParam) {
  $aParamList = explode('&', $_SERVER['QUERY_STRING']);
  $i = 0;
  while ($i < count($aParamList)) {
   $aParam = split('=', $aParamList[$i]);
   if ($strParam == $aParam[0]) {
     return $aParam[1];
   }
  }
  return "";
}

or by directly building an array or query string values and then processing the parameter string using a function such as the "unescape" function which can be found at http://www.kanolife.com/escape/2006/03/unicode-url-escapes-in-php.html (or http://www.kanolife.com/escape/ for related info).
justin dot (nospam)george at gmail dot com
01-Mar-2006 04:00
Note that it's a very, very bad idea to append to global variables in a loop, unless you really, really mean to do so in a global context. I just a while ago hung my server with a snippet of code like this:

<?php
$host  = $_SERVER['HTTP_HOST'];
$uri  = rtrim($_SERVER['PHP_SELF'], "/\\");

  
$GLOBALS['SITE_ROOT'] = "http://$host$uri";

while ($i < somenumber)
readfile($GLOBALS['SITE_ROOT'] = $GLOBALS['SITE_ROOT'] . '/this/file.php');
$i++
}
?>

While it is an entertaining and unusual method of creating very long URLs and breaking servers, it's a pretty awesomely bad idea

(Especially considering that the script in question ran concurrently with others of it's type, so the value in $GLOBALS['SITE_ROOT'] was unknown.)
nathan
23-Feb-2006 12:05
Also on using IPs to look up country & city, note that what you get might not be entirely accurate.  If their ISP is based in a different city or province/state, the IPs may be owned by the head office, and used across several areas. 
You also have rarer situations where they might be SSHed into another server, on the road, at work, at a friend's...  It's a nice idea, but as the example code shows, it should only be used to set defaults.
ticklemeozmo at gmail dot com
15-Feb-2006 01:44
Using a combination of magic and a few examples from below (thank you to those below), the following two functions should provide the script  with a list (in order) of what is after the script.

printvars.php:
<?php
function array_compress($array) {
       $aReturn = array();
       foreach ($array as $value)
       if (strlen($value) > 0) { $aReturn[] = $value; }
       return $aReturn;
}

function getPathVariables() {
       $sPathPS = $_SERVER[PHP_SELF];
       $sPathFS = __FILE__;

       $aPathPS = array_reverse(explode("/", $sPathPS));
       $aPathFS = array_reverse(explode("/", $sPathFS));

       $aReturn = array();
       $x = 0;

       while ( $aPathPS[$x] != $aPathFS[$x] && $aPathPS[$x] != $aPathFS[0] ) {
               array_unshift($aReturn, $aPathPS[$x])        ;
               $x++;
       }

      
       return $aReturn;

}

print_r(array_compress(getPathVariables()));
?>

----
Calling: http://www.website.com/temp/printvars.php/or/whatever/something.jpg

returns:
Array (
   [0] => or
   [1] => whatever
   [2] => something.jpg
)
geza at turigeza dot com
11-Feb-2006 09:13
Above the manual says

'$_REQUEST is an associative array consisting of the contents of $_GET, $_POST, and $_COOKIE.'
However
$_REQUEST doesn't always contain the same elements as

$_GET+$_POST+$_REQUEST;

Basically if you add an element to the $_POST array that element does not automatically get added to REQUEST as well. It's easy to understand why :)

<?php
$_POST['geza'] = 'geza';
$_GET['bela'] = 'bela';

echo '<pre>';
print_r($_POST);
print_r($_GET);
print_r($_REQUEST);
echo '</pre>';
?>

will output this
Array
(
   [geza] => geza
)
Array
(
   [bela] => bela
)
Array
(
)
nospam at joot dot com
10-Feb-2006 07:02
[Editor's note: As much as you may hate us lazy programmers, we highly recommend the use of DOM (http://php.net/dom) or SimpleXML (http://php.net/simplexml) for handling XML data. It's much, much, much, much safer than your method. :)]

Man, I hate lazy programmers.  Let's have no more excuses for requiring your viewers to fill in their City and Country, okay?

PART ONE - The Lookup

$ip = get_remote_ip();
$location = http_get( "http://api.hostip.info/?ip=$ip" );

$contents = get_tag_contents( $location, "Hostip" );
$city = trim( get_tag_contents( $contents, "gml:name" ) );
$country = trim( get_tag_contents( $contents, "countryAbbrev" ) );

if( stristr( $city, "private" ) ) {
  $city = "";
}

if( stristr( $country, "xx" ) ) {
  $country = "US";
}

PART TWO - The Functions

function get_remote_ip() {
  return $_SERVER['REMOTE_ADDR'];
}

function http_get( $url ) {
  $request = fopen( $url, "rb" );
  $result = "";

  while( !feof( $request ) ) {
   $result .= fread( $request, 8192 );
  }
 
  fclose( $request );
 
  return $result;
}

function get_tag_contents( $xml, $tag ) {
  $result = "";
  $s_tag = "<$tag>";
  $s_offs = strpos( $xml, $s_tag );

  // If we found a starting offset, then look for the end-tag.
  //
  if( $s_offs ) {
   $e_tag = "</$tag>";
   $e_offs = strpos( $xml, $e_tag, $s_offs );

   // If we have both tags, then dig out the contents.
   //
   if( $e_offs ) {
     $result = substr(
       $xml,
       $s_offs + strlen( $s_tag ),
       $e_offs - $s_offs - strlen( $e_tag ) + 1 );
   }
  }

  return $result;
}

PART THREE - The HTML Form

<input type="text" name="city" id="city" value="<? echo $city; ?>" size="40" maxlength="50" />

<option value="AU" <? if( $country == "AU" ) echo "SELECTED='true'" ?>>Australia</option>
<option value="CA" <? if( $country == "CA" ) echo "SELECTED='true'" ?>>Canada</option>
<option value="GB" <? if( $country == "GB" ) echo "SELECTED='true'" ?>>United Kingdom</option>
<option value="US" <? if( $country == "US" ) echo "SELECTED='true'" ?>>United States</option>

etc.
Gerry
26-Jan-2006 09:14
In relation to Mr. Obvious' comment concerning using apache_request_headers() to get a more reliable referer. I don't believe this works as both it and PHP would be retrieving the information from the 'referer' header. All you would be doing by using apache_request_headers() is giving yourself more work.

Some test code which shows that both are identical:
<?php
$host=apache_request_headers();
echo "\$host['Referer'] = {$host['Referer']}\n";
echo "\$_SERVER['HTTP_REFERER'] = {$_SERVER['HTTP_REFERER']}\n";
?>

You can edit the referer using a tool such as the LiveHTTPHeaders extension for Firefox.

If there was a more accurate way of determining the referer, then PHP would most likely be doing it.
de dot php dot net at derdickehase dot de
23-Jan-2006 04:05
There's one key sentence about $_SESSION:

... Therefore, you do not need to use the global keyword for $_SESSION ...
In PHP 4.3.4 you better don't import $_SESSION within any function with
"global", otherwise your $_SESSION array will be overwritten and all
information of it will be lost.

---

... Sie brauchen dieses Array nicht mit global $_SESSION; in
Funktionen oder Methoden importieren ...
In PHP 4.3.4 sollte man lieber nirgendwo(!) in irgendwelchen Funktionen
mit "global" das Array $_SESSION importieren, denn dann wird das alte
Array berschrieben und alle Session-Informationen gehen verloren.
marsh at NOSPAM-TAKETHATSPAMMER dot uri
20-Jan-2006 12:05
The solution advanced by info at meshkaat dot com does not work correctly on machines with IIS configured to use
a virtual directory as the launch point. The address strings for $_SERVER['SCRIPT_FILENAME'] and $_SERVER['PHP_SELF'] will not necessarily have the same name for the highest level directory in $_SERVER['PHP_SELF'], and therefore this solution will not return the proper value.
marsh at NOSPAM-TAKETHATSPAMMER dot uri dot edu
12-Jan-2006 11:57
Under Windows XP SP2 and IIS, $_SERVER('x') returns a path using forward slash '/' as the separator, where x is:

     PHP_SELF, SCRIPT_NAME

These arguments, however, all return a path using backward slash, '\' as the separator:

  __FILE__, SCRIPT_FILENAME, and DOCUMENT_ROOT (if you use one of the methods mentioned previously).

Also note that if the name of the last directory in the document root includes a space, the methods described above for setting DOCUMENT_ROOT will return a value that drops the everything past the space.
Andy Staudacher, gmx.ch add ast before @
20-Dec-2005 09:02
The following code is licensed under the GPL and it is from the gallery.menalto.com project.
<?php
   /**
     * Fix the superglobal $_COOKIE to conform with RFC 2965
     *
     * We don't use $_COOKIE[$cookiename], because it doesn't conform to RFC 2965 (the
     * cookie standard), i.e. in $_COOKIE, we don't get the cookie with the most specific path for
     * a given cookie name, we get the cookie with the least specific cookie path.
     * This function does it exactly the other way around, to a) fix our cookie/login problems and
     * to b) conform with the RFC.
     * The PHP bug was already fixed in spring 2005, but we will have to deal with broken PHP
     * versions for a long time. See http://bugs.php.net/bug.php?id=32802.
     *
     * Fixes also another PHP cookie bug. PHP doesn't expect the cookie header to have
     * quoted-strings, but they are perfectly legal according to RFC 2965.
     *
     * The third bug fixed here is an MS Internet Explorer (IE) bug. When using default cookie
     * domains (no leading dot, don't set the domain in set-cookie), IE is supposed to return only
     * cookies that have the exact request-host as their domain.
     * Example: Cookies stored in the browser with cookie domains: .example.com, .www.example.com,
     *          example.com, www.example.com
     *          The request-host is www.example.com. Thus, IE should return all those cookies but
     *          the example.com cookie, because it's a default domain cookie and it doesn't match
     *          exactly the request-host. But IE returns the example.com cookie too.
     * As MS decided that it returns the cookie with the best domain-match first (unspecified in
     * RFC 2965), this wouldn't be a problem if PHP didn't select the last cookie in the
     * HTTP_COOKIE header. But with fixCookieVars(), this case is also fixed.
     *
     * This function reevaluates the HTTP Cookie header and populates $_COOKIE with the correct
     * cookies. We fix only non-array and non '[', ']' containing cookies for simplicity. To fix
     * our login problem, we'd have to fix only the GALLERYSID cookie anyway.
     *
     * @param boolean force the reevaluation of the HTTP header string Cookie
     * @param boolean unset static variable for testability
     */
   function fixCookieVars($force=false, $unset=false)
?>
The source code can be found at:
http://cvs.sourceforge.net/viewcvs.py/gallery/gallery2/
modules/core/classes/GalleryUtilities.class?rev=1.146&view=markup
Mr. Obvious
15-Dec-2005 03:37
HTTP_REFERER Replacement

Being that REFERER is not a reliable resource to determine if a user is visiting a link from your domain, try using apache_request_headers() instead (formerly getallheaders).  I found this to work very well with both IE and Netscape/FireFox when determining if a user is downloading a file from outside of my domain.

<?php
$host=apache_request_headers();
if(!eregi('domain.com',$host[Referer])){
   //[...code to download file here...]
}else{
   //[...code to download alternate file here...]
   }
?>
info at meshkaat dot com
06-Dec-2005 09:03
How to get $_SERVER["DOCUMENT_ROOT"] on IIS :

if(!isset($_SERVER["DOCUMENT_ROOT"]))
{$_SERVER["DOCUMENT_ROOT"]=substr($_SERVER['SCRIPT_FILENAME'] , 0 , -strlen($_SERVER['PHP_SELF'])+1 );
}

it simply works!
chris at vault5 dot com
30-Nov-2005 11:17
Since $_SERVER['DOCUMENT_ROOT'] is not always present, the following will provide it where $_SERVER dosen't.

<?php
function resolveDocumentRoot() {
   $current_script = dirname($_SERVER['SCRIPT_NAME']);
   $current_path  = dirname($_SERVER['SCRIPT_FILENAME']);
  
   /* work out how many folders we are away from document_root
       by working out how many folders deep we are from the url.
       this isn't fool proof */
   $adjust = explode("/", $current_script);
   $adjust = count($adjust)-1;
  
   /* move up the path with ../ */
   $traverse = str_repeat("../", $adjust);
   $adjusted_path = sprintf("%s/%s", $current_path, $traverse);

   /* real path expands the ../'s to the correct folder names */
   return realpath($adjusted_path);   
}

?>

It counts the number of folders down the path we are in the URL, then moves that number of folders up the current path... end result should be the document root :)

It wont work with virtual folders or in any situation where the folder in the URL dosen't map to a real folder on the disk (like when using rewrites).
webmaster at neosign dot net
08-Nov-2005 11:42
this is for finding Document root in IIS.
it's like $_SERVER["DOCUMENT_ROOT"]

if(!isset($_SERVER["DOCUMENT_ROOT"])){
$_SERVER["DOCUMENT_ROOT"]=$str_replace('\\','/',getcwd());
}

it's work!!

by

webmaster@neosign.net
lorenpr at gmail dot com
02-Nov-2005 07:04
Here's a simple function that has proven reliable for me in checking if a user has refreshed the current page on a website.

function pageRefreshed()
{
  if($_SERVER['HTTP_CACHE_CONTROL'] == 'max-age=0')
     return true;

   return false;
}
webmaster at eclipse dot org
11-Oct-2005 11:01
In response to tobias at net-clipping dot de

It is not an Apache bug.  Please read http://httpd.apache.org/docs/2.1/mod/core.html#errordocument carefully (2.1 version here, 2.0 and 1.x is similar). 

In short, if your ErrorDocument start with http:// Apache sends a redirect (302) to the error document, hence losing your original referer. If your ErrorDocument points to a relative path, 404 is maintained and so are your variables.

From the Apache manual:

"Note that when you specify an ErrorDocument  that points to a remote URL (ie. anything with a method such as http in front of it), Apache will send a redirect to the client to tell it where to find the document, even if the document ends up being on the same server. This has several implications, the most important being that the client will not receive the original error status code, but instead will receive a redirect status code. This in turn can confuse web robots and other clients which try to determine if a URL is valid using the status code. In addition, if you use a remote URL in an ErrorDocument 401, the client will not know to prompt the user for a password since it will not receive the 401 status code. Therefore, if you use an ErrorDocument 401 directive then it must refer to a local document."

D.
webadmin at wibn dot net
06-Oct-2005 05:55
I like using the $_REQUEST variable because my scripts work as expected regardless of request method and I can set per-user default values with cookies or session variables.
I was having problems because $_REQUEST was preferring cookie-method values over GET- and POST-method values.  I have no access to php.ini on my hosted web page and, of course, ini_set("variables_order","ESCGP"); has no effect because $_REQUEST is created before my script starts.
The following script fixed my problem:

foreach (array("_GET","_POST") as $source) {
 foreach (${$source} as $idx => $value) {
  $_REQUEST[$idx]=$value;
  };
 };
unset($source,$idx,$value);

Simply fill the array() with the names of the arrays you want to load into $_REQUEST, in increasing order of preference.
drew dot griffiths at clare dot net
30-Sep-2005 11:51
Re: You can take advantage of 404 error to an usable redirection using REQUEST_URI ...

Whilst this is effective, a line in the .htaccess such as:

RewriteEngine On
RewriteRule ^profiles/([A-Za-z0-9-]+) showprofile.php?profile=$1 [L,NC,QSA]

will throw the requested profile in a variable $profile to the showprofile.php page. 

You can further enhance the url (e.g http://servername/profiles/Jerry/homeaddress/index.htm) and the second variable value homeaddress becomes available in $url_array[3] when used below $url_array=explode("/",$_SERVER['REQUEST_URI']); 

Hope this helps - Works well for me

Drew
jeromenelson at gmail dot com
19-Sep-2005 06:56
You can take advantage of 404 error to an usable redirection using REQUEST_URI ...

For example the following program can retrieve the information for the 'search_string', for a given URI:  http://servername/profiles/search_string, even though there's no such path.
Do the following steps..

Step 1: Edit Apache config:  set
       ErrorDocument 404 "/missing.php" 
Step 2: Write the missing.php as follows ...

<?
$mainPath = "/profiles/";                                      // Example: http://servername/profiles/search_string
$mpLength = strlen( $mainPath  );                               
$request_uri = $_SERVER['REQUEST_URI'];

if ( $mainPath != substr($request_uri,0,$mpLength) ) {          // Check if the given URI is valid
   echo "404 Page Not Found !";
   exit();
}

$name = substr ($request_uri , $mpLength ) ;                    // Extract the string to be searched

echo "You have searched for the profile of Mr. $name";

/** Here you can write the code to retrieve and display
     the $name's  information from the database
*/
?>

Step 3: Now try http://servername/profiles/Jerry
   (of course, there shouldn't be a file/folder in the server like "DOCROOT/profiles/Jerry" )

     output: You have searched for the profile of Mr. Jerry

God Bless You!
Angelina Bell
04-Aug-2005 11:55
Warning:
$_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME'] may not always be set correctly.
Some web hosts implement php as a CGI in such a way that they can turn it on or off for each virtual domain.  Several $_SERVER and $_ENV variable values may be incorrect for documents in subdirectory subdomains of these virtual domains.

An include-file function or constant, instead of PHP_SELF or some other predefined variable throughout a website, will make it easier to "fix" an entire website in case something changes.
<?php
function true_url_path() {
// Pick the predefined variable that works on your server
     return $_ENV['SCRIPT_URL'];
}
?>
Or
<?php
// Pick the predefined variable that works on your server
define("TRUE_URL_PATH", $_ENV['SCRIPT_URL']);
?>
Gregory Boshoff
31-Jul-2005 05:41
$_SERVER['QUERY_STRING']

Does not contain XHTML 1.1 compliant ampersands i.e. &amp;

So you will need to do something like this if you are to use $_SERVER['QUERY_STRING'] in URL's.

//  XHTML 1.1 compliant ampersands
$_SERVER['QUERY_STRING'] =
str_replace(array('&amp;', '&'), array('&', '&amp;'),
$_SERVER['QUERY_STRING']);
New York PHP
24-Jul-2005 09:59
Warning: $_SERVER['PHP_SELF'] can include arbitrary user input. The documentation should be updated to reflect this.

The request "http://example.com/info.php/attack%20here" will run /info.php, but in Apache $_SERVER['PHP_SELF'] will equal "/info.php/attack here". This is a feature, but it means that PHP_SELF must be treated as user input.

The attack string could contain urlencoded HTML and JavaScript (cross-site scripting) or it could contain urlencoded linebreaks (HTTP response-splitting).

The use of $_SERVER['SCRIPT_NAME'] is recommended instead.
eustf at hotmail dot com
21-Jul-2005 11:05
REQUEST_URI not defined on Windows XP and IIS 5.1
I have seen different script on the web and in this list but they don't work fully. This one seems to work:

if(!isset($_SERVER['REQUEST_URI'])) {
  $arr = explode("/", $_SERVER['PHP_SELF']);
  $_SERVER['REQUEST_URI'] = "/" . $arr[count($arr)-1];
  if ($_SERVER['argv'][0]!="")
   $_SERVER['REQUEST_URI'] .= "?" . $_SERVER['argv'][0];
}
daniel at softel dot jp
16-Jul-2005 02:43
Note that $php_errormsg may contain a newline character. This can be problematic if you are trying to output it with a JavaScript "alert()" for example.
php at php-universe dot com
15-Jul-2005 08:11
While recently working on a file upload script, that works on moving files and resizing images based upon their extension, I found a great way to determine the file extension.

<?
function get_extension($filename)
{//start get_extension function
return (count($tmp = explode('.',basename($filename)))>1)?array_pop($tmp):'';
}//end get_extension function

/* An example use of this function:*/

foreach($_FILES as $files)
{//foreach $_FILES action
if($files['error']==0)
     {//if the file was successfully uploaded
$ext = "<br />.".get_extension($files['name']);
echo $ext;
     }//end of successfull upload check
}//end foreach $_FILES
?>

This returns the file extension for each of the files uploaded, giving something like:

.jpg
.swf
andy dot gajetzki at gmail dot com
06-Jul-2005 09:22
I wanted to be able to embed a variable in the path. This is useful when, for example, images are rendered on the fly and you would like them to have different urls.

Here is an illustration:

www.somesite.com/image.php/IMAGETEXTHERE

This would return an image with the text after "image.php/" contained in it.

I could not recall the name of this feature, so I made a work-around in PHP...

<?       
      
function getPathVariables() {
       $sPathPS = $_SERVER[PHP_SELF];
       $sPathFS = __FILE__;

       $aPathPS = array_reverse(explode("/", $sPathPS));
       $aPathFS = array_reverse(explode("/", $sPathFS));

       $aImageArgs = array();
       $x = 0;

       while ( $aPathPS[$x] != $aPathFS[$x] && $aPathPS[$x] != $aPathFS[0] ) {
               array_unshift($aImageArgs, $aPathPS[$x])        ;
               $x++;
       }
       return $aImageArgs;

}
?>

This function will return an array containing each "/" delimited portion of the path after the script name itself.
notes at arbee dot co dot uk
27-Jun-2005 10:14
Note that $_SERVER['QUERY_STRING'] behaves differently under IIS/Apache.

In Apache (at least on Windows) it is ALWAYS set - if no query string was specified in the URL, $_SERVER['QUERY_STRING'] is initialised as an empty string.

In IIS, if no query string is included in the URL, $_SERVER['QUERY_STRING'] is NOT SET, so trying to access it without checking for its existence will generate notices.
koerner-familie at t-online dot de
21-Jun-2005 09:52
If you want to make a copy of $BLOBALS (e.g. to test whether which tariables were changed during script-runtime,
<?php $___debug_var_dump = $GLOBALS; ?>
will _NOT_ make a copy in PHP4 (tested with 4.3.11). Use
<?php $___debug_var_dump = array_merge($GLOBALS, array()); ?> instead, but ONLY for testing purpose.
Best regards, Peter
purplebz at hotmail dot com
19-Jun-2005 04:35
How to get $_SERVER['REQUEST_URI'] on IIS (WinXP):

if ( empty($_SERVER['REQUEST_URI']) ) {
   $arr = explode("/", $_SERVER['PHP_SELF']);
   $_SERVER['REQUEST_URI'] = $arr[count($arr)-1];
}
xangelusx at hotmail dot com
14-Jun-2005 04:03
A note about the QUERY_STRING variable when using IIS:

I have found that IIS does not handle large query strings gracefully when passed from PHP. In addition to truncating them to around 1024 kb, I have seen IIS actually add data from other server variables to the end of the truncated data.

This occurred on Windows 2000 server running IIS 5.0 and PHP 4.3.8.  The problem did not occur when handled by Apache, even on another Windows server.

Note: I realize passing this much data is best accomplished using the POST method, which would avoid this problem all together. I'm merely detailing a problem that I came across.

I have created a page that includes the (very long) query string that was used and some of the results that I saw while testing. It can be viewed at http://www.csb7.com/test/php_iis_qs_limit/. I didn't want to include it here as it would stretch the page out significantly.

~Chris Bloom
mfyahya at gmail dot com
07-Jun-2005 09:33
If you use Apache's redirection features for custom error pages or whatever, the following Apache's REDIRECT variables are also available in $_SERVER:
$_SERVER['REDIRECT_UNIQUE_ID]'
$_SERVER['REDIRECT_SCRIPT_URL]'
$_SERVER['REDIRECT_SCRIPT_URI]'
$_SERVER['REDIRECT_SITE_ROOT]'
$_SERVER['REDIRECT_SITE_HTMLROOT]'
$_SERVER['REDIRECT_SITE_CGIROOT]'
$_SERVER['REDIRECT_STATUS]'
$_SERVER['REDIRECT_QUERY_STRING]'
$_SERVER['REDIRECT_URL]'

I'm not sure if this is a complete list though
mp at wds-tech dot de
02-Jun-2005 03:12
Also aviable is the $_SERVER['SERVER_ADDR'] which returns the current IP of the server the script is running on.
mike at go dot online dot pt
27-May-2005 03:58
In addition to what FX said about IE and Firefox, if you use the variable $PHP_SELF instead of $_SERVER['PHP_SELF'] that problem does not happen.
webKami (et) AKDomains.com
24-May-2005 02:47
PHP Secure Class to prevent XSS Attacks

Although this is not bullet proof but it would give you an idea on how to filter incoming data.

Copyleft : LGPL
Idea by: phpsec GROUP @ PHP|arch

Coded By: webKami

For those who are new to PHP and just heard of XSS attacks, this is the basic rule.

"NEVER EVER TRUST EXTERNAL DATA"

For this purpose I have coded a class that can be used to filter all external data, from POST, GET, COOKIE and even your own arrays.

An example is that if you need only integers from a certain parameter just request for integer
e.g. getVarInt("id")

You can even tell it to give you a default value if param is not set, so that your page would not FAIL in case of a NULL value
e.g. getVarInt("id",1)

You can also fetch data from a param array, like a set of colors
e.g. getVarInt("colors",0,0)
e.g. getVarInt("colors",0,1)

Get these variables in a loop limited by the count of that array's elements
e.g. getVarCount("colors")

The complete code of class and its usage can be found here

http://www.webkami.com/programming/php/php-secure-class-to-avoid-xss

I am posting the usage below.

<?

//for url variables
$req = new requestGet();
echo "Int:".$req->getVarInt("id")."<br />";
echo "Alpha:".$req->getVarAlpha("name",4)."<br />";

//for form variables
$req = new requestPost();
echo "Int:".$req->getVarInt("id")."<br />";
echo "Alpha:".$req->getVarAlpha("name",4)."<br />";

//for cookies
$req = new requestCookie();
echo "Int:".$req->getVarInt("id")."<br />";
echo "Alpha:".$req->getVarAlpha("name",4)."<br />";

//for your own variables, set your values to an item in an array and you can modify the array

$filter["id"]=4;
$filter["name"]="Ali";
$req = new requestFilter($filter);
echo "Int:".$req->getVarInt("id")."<br />";
echo "Alpha:".$req->getVarAlpha("name",4)."<br />";

?>
FX
24-May-2005 06:24
A form that has an action $_SERVER['PHP_SELF'];

in IE, it outputs as /test.php

but in FireFox it outputs as //test.php and so page can't be found.

Use    basename($_SERVER['PHP_SELF']);    instead .
sienkiewicz at gmail dot com
19-May-2005 10:18
Here is a very simple method of extracting all $_GET variables in a URL. This is useful when working with dynamic reports, that may need to be sorted, etc.

code:

foreach($_GET as $variable => $value) {
   echo "Variable Name: " . $variable . " Value: $value<br>";
}
JM
18-May-2005 04:08
The $_SERVER['PHP_AUTH_*'] variables are not available in safe mode.  See http://www.php.net/features.http-auth
www dot php dot net at webdevelopers dot cz
12-May-2005 09:01
Simple function that selects "best" language for the user from the list of available languages:

function chooseLang($availableLangs) {
   $pref=array();
   foreach(split(',', $_SERVER["HTTP_ACCEPT_LANGUAGE"]) as $lang) {
       if (preg_match('/^([a-z]+).*?(?:;q=([0-9.]+))?/i', $lang.';q=1.0', $split)) {
           $pref[sprintf("%f%d", $split[2], rand(0,9999))]=strtolower($split[1]);       
       }
   }
   krsort($pref);
   return array_shift(array_merge(array_intersect($pref, $availableLangs), $availableLangs));
}
 
echo 'BESTLANG: '.chooseLang(array('cs', 'sk', 'ru', 'en'));

Daniel "elixon" Sevcik
exaton at free dot fr
07-May-2005 02:23
With the arrival of the Google Web Accelerator, the problem of keeping track of users through $_SERVER['REMOTE_ADDR'] (for a much shorter while than with cookies) has reared its ugly head anew.

For those confronted with this issue, remember that Google implements the $_SERVER['HTTP_X_FORWARDED_FOR'] header giving the IP address of the connection that it proxies.

Hope this helps...
inbox at tanasity dot com
13-Apr-2005 09:23
Under Windows 2000, running IIS and PHP 4.3.10, $_SERVER['SCRIPT_NAME'] is not available, however $_SERVER['SCRIPT_FILENAME'] is present and seems to contain the same information.
javalizard at mac dot com
11-Apr-2005 07:02
My web host server will give my php the user preferred languages out over the order.  This means that I had to write a function for ordering the languages based upon their "q" value (rank from 1..0, 1 being the most preferred).  If you want an ordered list of user preferred languages use this function:

<?php
function orderedLanguages()
{
   $languages = split(",", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
   $lang_q = Array();
   foreach( $languages as $aLang ) {
       $lang_array = split(";q=", trim( $aLang ) );
       $lang = trim( $lang_array[0] );
       if( !isset( $lang_array[1] ) )
           $q = 1;
       else
           $q = trim($lang_array[1]);
       $lang_q["$lang"] = (float)$q;
   }
   arsort($lang_q);
   //extra code for making the languages key indexed
   $i = 0;
   $lang_index = Array();
   foreach($lang_q as $lang => $q) {
   //    $lang_q[$i] = $lang; //add to the same array the index key/language
       $lang_index[$i] = $lang; //add to a new array the index key/language
       $i++;
   }
  
   //return $lang_index; // uncomment for returning array with keys={0..n-1}, values={most..least preferred}
   return $lang_q;
}

?>

While you can't reference the key by number, You can use foreach to pull elements.  This will be in order.  So getting the key with array_keys should work in the preferred order too.  I've added a few extra lines of commented code for reordering the array into one(s) that reference the language by number (if you need it)  :D
skrollster
27-Mar-2005 12:36
$_SERVER["REMOTE_USER"] and $_SERVER['PHP_AUTH_USER'] is the same variable i think..
anonymous
04-Mar-2005 06:12
I don't see the $_SERVER["REMOTE_USER"] listed in this document.
This displays the username used to login using .htaccess.
z dot stolar at gmail dot com
03-Mar-2005 06:05
It seems that if the current page was called with GET variables:
http://www.example.com/index.php?delete_id=12?add_id=34

and if, in that same page, you are about to submit another form, this time with POST method, assigning the form the action:
<?php  $_SERVER['PHP_SELF'?>
will keep the GET variables at their place! (delete_id=12?add_id=34)

Rather, assign the form the action like this:
<?php echo $_SERVER['PHP_SELF'] ; ?>
this will call only index.php without any GET variables
28-Feb-2005 10:41
Matt Johnson says that one should never urldecode() $_GET data. This is incorrect.

If magic_quotes_gpc is turned off in php.ini, then you *do* need to urldecode() $_GET data.

Having magic_quotes_gpc turned off is considered good practise.
x_terminat_or_3 at [remove] yahoo.fr
28-Feb-2005 06:18
I didn't find it anywhere here and I was ready to bang my head on the wall until I found the solution!

So when you use a select with multiple options you have to cheat to let php recognize it.

When processing the request, php puts all selected options in the select object's name, but treats it like an array.  If it is not an array, only the last option is remembered.

So to cheat you should append [ ] to the name of the select

<form .. ... ..>
 <select multiple="multiple" name="myselect[]" size="3">
  <option value="1">1st option</option>
  <option value="2">2nd option</option>
  <option value="3">3rd option</option>

...

Then in the processing part:
<?php
  if(!empty[$_REQUEST['myselect']) print_r($_REQUEST['myselect']);
?>

Will show you the array with all the selected options
17-Feb-2005 07:30
grlprgrmmr wrote:

you can use these to reconstructed the current page url.

<?php

echo 'http';
if($_SERVER['HTTPS']=='on'){echo 's';}
echo '://'.$_SERVER['SERVER_PORT'].$_SERVER['SCRIPT_NAME'];
if($_SERVER['QUERY_STRING']>' '){echo '?'.$_SERVER['QUERY_STRING'];}

?>
______________

the $_SERVER['SERVER_PORT'] part should be changed to $_SERVER['HTTP_HOST']
Gregory Boshoff
14-Feb-2005 08:19
The Environment variable $ENV is useful for coding portable platform specific application constants.

// Define a Windows or else Linux root directory path
$_ENV['OS'] == 'Windows_NT' ? $path = 'L:\\www\\' : $path = ' /var/www/';

define('PATH', $path);

echo PATH;
magotes[at]netcabo.pt
12-Feb-2005 11:09
Sorry if this is old news to some, but it might not be obvious at a first glance:

If you are using $_SERVER['remote_addr'] as a way to keep track of a logged-in user (this can be useful to avoid several types of hacking), remember that it might not be the user's actual IP address!

I was trying to implement a login feature that used this, storing the IP into a DB. It went smoothly while on a LAN, but wrecked havoc when accepting outter connections.
grlprgrmmr uses gmail
11-Feb-2005 03:05
you can use these to reconstructed the current page url.

<?php

echo 'http';
if($_SERVER['HTTPS']=='on'){echo 's';}
echo '://'.$_SERVER['SERVER_PORT'].$_SERVER['SCRIPT_NAME'];
if($_SERVER['QUERY_STRING']>' '){echo '?'.$_SERVER['QUERY_STRING'];}

?>

If $_SERVER['HTTPS']=='on' does not work for you,
try $_SERVER['SERVER_PORT']==443 (or whatever secure port is used)
JSP001
27-Jan-2005 06:15
Hi dotpointer,

I am new to php but I suggest a little modification of your script. Tell me what you think of it :

function getThisFile() {

[...]
   /* last resort __FILE__ */
   } else {
       $strScript = __FILE__;
   }
[...]
}

Thanks for this great function, I'll use it for my project !

Regards
niles AT atheos DOT net
27-Jan-2005 04:51
If your having problems returning $_SERVER variables using apache, be sure you enable:

ExtendedStatus On

in your httpd.conf file.

If it's off, then things like $_SERVER['HTTP_HOST'] won't be present.
marcus at lastcraft dot com
24-Jan-2005 08:02
The variable $php_errormsg is not populated if you have XDebug running.
arjini at gmail dot com
19-Jan-2005 08:29
Driven crazy by the lack of consistency with $_SERVER across installations? Check out this chart:

http://www.koivi.com/apache-iis-php-server-array.php
roy dot rico at gmail dot com
19-Jan-2005 05:48
if you are trying to use $php_errormsg, it acts more like a function than it does a variable.

example

   echo "<h1>";
   $php_errormsg;
   echo "</h1>";

will output:

   <h1>[the php error]<h1>

however, this command

   echo "<h1>" . $php_errormsg . "</h1>";

should produce the same thing, yet it produces

   [the php error]<h1></h1>

not sure if this is a "feature" or a "bug"
dotpointer
10-Jan-2005 05:26
Running Xitami in Windows 2000 and PHP 4.3.7, nor PHP_SELF or SCRIPT_FILENAME is not availiable. Trying SCRIPT_NAME instead. Here is a function that returns the filename of a script without slashes. Good for use in HTML FORM ACTION=""-arguments...

function getThisFile() {

 /* try to use PHP_SELF first... */
 if (!empty($_SERVER['PHP_SELF'])) {
  $strScript = $_SERVER['PHP_SELF'];
 /* otherwise, try SCRIPT_NAME */
 } else if (!empty($_SERVER['SCRIPT_NAME'])) {
  $strScript = @$_SERVER['SCRIPT_NAME'];
 /* last resort - quit out and return nothing */
 } else {
  return null;
 }

 /* fint last frontslash in filename */
 $intLastSlash = strrpos($strScript, "/");

 /* check if last backslash is more far away in filename */
 if (strrpos($strScript, "\\")>$intLastSlash) {
  /* if so, use the backslash position instead */
  $intLastSlash = strrpos($strScript, "\\");
 }

 /* cut out from the last slash and to the end of the filename */
 return substr($strScript, $intLastSlash+1, strlen($strScript));
}

Tested on PHP 4.3.7/Win32 and PHP 5.0.3/Linux.
You may add more filepaths to the first if-section
to get more chances to catch up the filename if you can.
Matt Johnson
26-Dec-2004 08:50
A reminder: if you are considering using urldecode() on a $_GET variable, DON'T!

Evil PHP:

<?php
# BAD CODE! DO NOT USE!
$term = urldecode($_GET['sterm']);
?>

Good PHP:

<?php
$term = $_GET['sterm'];
?>

The webserver will arrange for $_GET to have been urldecoded once already by the time it reaches you!

Using urldecode() on $_GET can lead to extreme badness, PARTICULARLY when you are assuming "magic quotes" on GET is protecting you against quoting.

Hint: script.php?sterm=%2527 [...]

PHP "receives" this as %27, which your urldecode() will convert to "'" (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!

This "common error" is one of the underlying causes of the Santy.A worm which affects phpBB < 2.0.11.
mrnopersonality at yahoo dot com
19-Oct-2004 11:13
Nothing about the message-body ...

You can get cookies, session variables, headers, the request-uri , the request method, etc but not the message body. You may want it sometimes when your page is to be requested with the POST method.

Maybe they should have mentioned $HTTP_RAW_POST_DATA or php://stdin
hfuecks at phppatterns dot com
06-Sep-2004 03:21
Using Apache/mod_ssl, there are further environment variables available to check for an SSL connection (can be more useful than $_SERVER['SERVER_PORT']), documented here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25

To test whether the client connected with SSL I can use $_SERVER['HTTPS'] e.g (with redirect to secured, current URL);

<?php
if ( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
   header ('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}
?>
boaz at babylon dot com
30-Aug-2004 10:13
You can add $_SERVER["DOCUMENT_ROOT"] to IIS by editing the Environment Variables of your Windows server (was tested on WinXP SP2).

Right click on My Computer >> Properties >> Advanced.
In the System variables click on 'New' and Type in the name field 'DOCUMENT_ROOT' and in the value field  the path to your IIS document root folder.

Don't forget to restart your Windows (IIS restart won't load the new settings).
david at grant dot org dot uk
12-May-2004 08:34
$_SERVER['DOCUMENT_ROOT'] *is* supported by IIS, although only when running PHP as an ISAPI module.
youdontmeanmuch [at] yahoo.com
06-Apr-2004 12:20
Be carful when using $_SERVER['DOCUMENT_ROOT']; in your applications where you want to distribute them to other people with different server types. It isnt always supported by the webserver (IIS).
mortoray at ecircle-ag dot com
19-Dec-2003 01:32
The RAW / uninterpreted HTTP POst information can be accessed with:
   $GLOBALS['HTTP_RAW_POST_DATA']

This is useful in cases where the post Content-Type is not something PHP understands (such as text/xml).
josh,endquote,com
04-Dec-2003 07:54
Running PHP 4.3 under IIS 5 on Windows XP, there is no $_SERVER['REQUEST_URI'] variable. This seems to fix it:

if(!isset($_SERVER['REQUEST_URI'])) {
   $_SERVER['REQUEST_URI'] = substr($_SERVER['argv'][0], strpos($_SERVER['argv'][0], ';') + 1);
}
add a note add a note


后退起点前进
保留字列表上一级预定义类