PHPKonf Istanbul PHP Conference 2019 - Call for Papers

$_SERVER

$HTTP_SERVER_VARS [kaldırıldı]

(PHP 4 >= 4.1.0, PHP 5, PHP 7)

$_SERVER -- $HTTP_SERVER_VARS [kaldırıldı]Sunucu ve işletme ortamı bilgisi

Açıklama

$_SERVER başlıklar, yollar ve betiklerin yerleri gibi bilgileri içeren bir dizidir. Bu dizideki girdiler HTTP sunucusu tarafından oluşturulur. Her HTTP sunucusu bunları sunacak diye bir garanti yoktur; sunucular bazıları ile işlem yapmayabilir veya burada listelenmeyen başkalarını sağlayabilirler. Bu değişkenlerden çoğu » CGI/1.1 Belirtimi içinde ele alınırlar; yani bunlar genellikle her HTTP sunucusunda desteklenirler.

PHP 5.4.0 öncesinde, $HTTP_SERVER_VARS aynı başlangıç bilgisini içeriyordu, fakat bir süper küresel değildi ($HTTP_SERVER_VARS ve $_SERVER farklı değişkenlerdir ve PHP de bu şekilde ele alır).

İndisler

Aşağıdaki elemanlardan bazılarını $_SERVER içinde belki bulursunuz belki de bulamazsınız. PHP komut satırında çalıştırıldığında bu değişkenlerden bazılarının herhangi bir anlamı varsa komut satırında da kullanılabileceğine dikkat ediniz.

'PHP_SELF'
Çalıştırılmakta olan betiğin, belge kök dizinine göreli dosya adıdır. Örneğin, http://example.com/foo/bar.php adresindeki bir betik için $_SERVER['PHP_SELF'] değeri /foo/bar.php olacaktır. __FILE__ sabiti geçerli dosyanın tam yolunu ve dosya adını içerir. PHP 4.3.0 dan beri, eğer PHP komut satırı işlemcisi olarak çalışıyorsa bu değişken betik adını içerir. Önceki sürümlerde bu mevcut değildi.
'argv'
Betiğe aktarılan değiştirge dizisidir. Betik komut satırında çalıştığında, komut satırı değiştirgelerine C gibi erişim imkanı verir. Betik GET yöntemi üzerinden çağrıldığında, bu değişken sorgu dizgesini içerir.
'argc'
Betiğe aktarılan komut satırı değiştirgelerinin sayısını içerir (betik eğer komut satırından çalıştırılıyorsa).
'GATEWAY_INTERFACE'
Sunucunun desteklediği CGI belirtiminin sürümünü içerir; 'CGI/1.1' gibi.
'SERVER_ADDR'
Geçerli betiğin altında çalıştığı sunucunun IP adresidir.
'SERVER_NAME'
Geçerli betiğin altında çalıştığı sunucunun adıdır. Eğer betik bir sanal konak üzerinde çalışıyorsa, o sanal konağın adını içerir.

Bilginize: Apache 2 altında, UseCanonicalName = On ve ServerName atamalarını yapmalısınız. Aksi takdirde, bu değer istemci tarafından belirtilmiş muhtemelen sahte bir konak ismi içerebilir. Güvenliliğin önemli olduğu içeriklerde bu değere güvenmek doğru değildir.

'SERVER_SOFTWARE'
Sunucu kimlik dizgesi, isteklere verilen cevap başlıklarının içinde verilir.
'SERVER_PROTOCOL'
Sayfa isteğinin yapıldığı protokolün ismi ve sürümüdür; 'HTTP/1.1' gibi;
'REQUEST_METHOD'
Sayfaya erişim için kullanılan istek yöntemi; 'GET', 'HEAD', 'POST', 'PUT' gibi.

Bilginize:

Eğer istek yöntemi HEAD ise PHP betiği başlıklar gönderildikten sonra (çıktının çıktı tamponu olmadan üretilmesinden sonra anlamında) sonlandırılır.

'REQUEST_TIME'
İsteğin başlangıç zaman etiketidir. PHP 5.1.0'dan beri mevcuttur.
'REQUEST_TIME_FLOAT'
Mikrosaniye cinsinden isteğin başlangıç zaman damgası. PHP 5.4.0 itibariyle geçerlidir.
'QUERY_STRING'
Sorgu dizgesi, sayfaya erişirken kullanılabilir.
'DOCUMENT_ROOT'
Sunucunun ayar dosyasında da tanımlandığı gibi, geçerli betiğin altında çalıştığı belge kök dizinidir.
'HTTP_ACCEPT'
Geçerli isteğin Accept: başlığının içeriğidir.
'HTTP_ACCEPT_CHARSET'
Geçerli isteğin Accept-Charset: başlığının içeriğidir. Örnek: 'iso-8859-9,*,utf-8'.
'HTTP_ACCEPT_ENCODING'
Geçerli isteğin Accept-Encoding: başlığının içeriğidir. Örnek: 'gzip'.
'HTTP_ACCEPT_LANGUAGE'
Geçerli isteğin Accept-Language: başlığının içeriğidir. Örnek: 'tr'.
'HTTP_CONNECTION'
Geçerli isteğin Connection: başlığının içeriğidir. Örnek: 'Keep-Alive'.
'HTTP_HOST'
Geçerli isteğin Host: başlığının içeriğidir.
'HTTP_REFERER'
Kullanıcı tarayıcısını geçerli sayfaya gönderen sayfanın (varsa) adresidir. Bu kullanıcı tarayıcısı tarafından belirtilir. Her kullanıcı tarayıcısı bunu belirtmez ve bazıları HTTP_REFERER değiştirmeyi bir özellik olarak sunar. Kısaca, buna güvenilemez.
'HTTP_USER_AGENT'
Geçerli isteğin User-Agent: başlığının içeriğidir. Bu sayfaya erişen kullanıcı tarayıcısını ifade eden bir dizgedir. Örneğin: Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586) get_browser() işlevi ile elde edebileceğiniz bu değeri sayfanın çıktısını kullanıcının tarayıcısına göre şekillendirmek için kullanabilirsiniz.
'HTTPS'
Eğer betik HTTPS protokolü ile sorgulanmışsa boş olmayan bir değer atanır.

Bilginize: IIS ile ISAPI kullanırken, eğer istek HTTPS protokolü ile yapılmamışsa, bu değerin off olacağına dikkat ediniz.

'REMOTE_ADDR'
Geçerli sayfayı görüntüleyen kullanıcının IP adresidir.
'REMOTE_HOST'
Geçerli sayfayı görüntüleyen kullanıcının sunucu adıdır. Kullanıcının REMOTE_ADDR değerinden ters dns sorgusuyla elde edilir.

Bilginize: HTTP sunucunuz bu değişkeni oluşturmak için ayarlanmak zorundadır. Örneğin Apache'de httpd.conf içinde HostnameLookups On olmalıdır. Ayrıca gethostbyaddr() işlevine de bakınız.

'REMOTE_PORT'
Kullanıcının makinesinin HTTP sunucusu ile haberleşmek için kullandığı porttur.
'REMOTE_USER'
Kimliği kanıtlanmış kullanıcı.
'REDIRECT_REMOTE_USER'
İstek dahilen yönlendirilmişse kimliğİ kanıtlanmış kullanıcı.
'SCRIPT_FILENAME'

Geçerli betiğin mutlak yoludur.

Bilginize:

Eğer betik file.php veya ../file.php gibi göreli bir yolla komut satırından çalıştırılırsa, $_SERVER['SCRIPT_FILENAME'] kullanıcı tarafından belirtilen göreli yolu içerir.

'SERVER_ADMIN'
HTTP sunucusu ayar dosyasındaki SERVER_ADMIN (Apache için) yönergesine verilen değerdir. Eğer betik bir sanal konak üzerinde çalışıyorsa, o sanal konak için için tanımlanmış değer olur.
'SERVER_PORT'
Haberleşme için HTTP sunucusu tarafından kullanılan porttur. Öntanımlı kurulumlar için değeri '80'dir; örneğin SSL kullanımında bunu güvenli HTTP portu olarak ne tanımladıysanız ona değiştirebilirsiniz.

Bilginize: Apache 2 altında, fiziksel (gerçek) portu almak için UseCanonicalName = On'dan başka UseCanonicalPhysicalPort = On da tanımlamalısınız, aksi takdirde, bu değer sahte olabilir ve fiziksel port değerini döndürüp döndürmeyeceği belli olmaz. Güvenliliğin önemli olduğu içeriklerde bu değere güvenmek doğru değildir.

'SERVER_SIGNATURE'
Eğer etkinse, sunucu tarafından üretilen sayfalara eklenen, sunucu sürümünü ve sanal konak adını içeren dizgidir.
'PATH_TRANSLATED'
Sunucu gerekli sanaldan gerçeğe dönüşümleri yaptıktan sonra geçerli betiğin dosya sistemini (belge kökü değil) temel alan yoludur.

Bilginize: PHP 4.3.2'den itibaren PATH_TRANSLATED değeri Apache 2'de Apache 1'in tersine SAPI altında örtük olarak belirtilmez. Apache 1'de bu değer Apache tarafından yerleştirilmediğinde bu değer SCRIPT_FILENAME sunucu değişkeni ile aynı olurdu. Bu değişiklik, PATH_TRANSLATED değişkeninin sadece PATH_INFO değişkeninin tanımlı olması durumunda var olmasını gerektiren CGI belirtimi ile uyum sağlamak için yapılmıştır. Apache 2 kullanıcıları PATH_INFO tanımlatmak için httpd.conf içinde AcceptPathInfo = On yapılandırmasını kullanabilirler.

'SCRIPT_NAME'
Geçerli betiğin yolunu içerir. Kendi kendilerini göstermesi gereken sayfalar için kullanışlıdırlar. __FILE__ sabiti geçerli (örn. içerilen) dosyanın tam yolunu vedosya adını içerir.
'REQUEST_URI'
Sayfaya erişim için belirtilen URI; örneğin, '/index.html'.
'PHP_AUTH_DIGEST'
Özetli HTTP kimlik doğrulaması yapılırken bu değişken istemci tarafından gönderilen 'Authorization' başlığında belirtilir (böylece siz de uygun geçerlilik denetimini yapmak için bunu kullanabilirsiniz).
'PHP_AUTH_USER'
HTTP kimlik doğrulaması yapılırken bu değişkene kullanıcı tarafından sağlanan kullanıcı adı atanır.
'PHP_AUTH_PW'
HTTP kimlik doğrulaması yapılırken bu değişkene kullanıcı tarafından sağlanan parola atanır.
'AUTH_TYPE'
Apache altında modül olarak HTTP kimlik doğrulaması yapılırken bu değişkene kullanılan kimlik doğrulama türü atanır.
'PATH_INFO'
İstemci tarafından sağlanan dosya yolunu içerir; dosya isminin ardında bir sorgu dizgesi olsa bile bu gösterilmez. Örneğin, betiğe şu URL ile erişiliyor olsun: http://www.example.com/php/path_info.php/some/stuff?foo=bar. Bu durumda $_SERVER['PATH_INFO'], /some/stuff değerini içerecektir.
'ORIG_PATH_INFO'
PHP tarafından işlenmeden önceki özgün 'PATH_INFO'.

Sürüm Bilgisi

Sürüm: Açıklama
5.4.0 Uzun dizili kayıtlar kullanımdan kaldırıldığından dolayı $HTTP_SERVER_VARS artık kullanılmamaktadır.
5.3.0 $HTTP_SERVER_VARS kullanımını sağlayan register_long_arrays yönergesinin kullanımı önerilmemektedir.
4.1.0 $_SERVER ortaya çıkmıştır ve $HTTP_SERVER_VARS kullanımı önerilmemektedir.

Örnekler

Örnek 1 - $_SERVER örneği

<?php
echo $_SERVER['SERVER_NAME'];
?>

Yukarıdaki örnek şuna benzer bir çıktı üretir:

www.example.com

Notlar

Bilginize:

Bu bir süper küreseldir. Yani bir betiğin her yerinde geçerlidir. Değişkene işlevler ve yöntemlerin içinden erişmek için global $değişken; deyimine gerek yoktur.

Ayrıca Bakınız

add a note add a note

User Contributed Notes 68 notes

up
302
zeufonlinux at gmail dot com
5 years ago
Just a PHP file to put on your local server (as I don't have enough memory)

<?php
$indicesServer
= array('PHP_SELF',
'argv',
'argc',
'GATEWAY_INTERFACE',
'SERVER_ADDR',
'SERVER_NAME',
'SERVER_SOFTWARE',
'SERVER_PROTOCOL',
'REQUEST_METHOD',
'REQUEST_TIME',
'REQUEST_TIME_FLOAT',
'QUERY_STRING',
'DOCUMENT_ROOT',
'HTTP_ACCEPT',
'HTTP_ACCEPT_CHARSET',
'HTTP_ACCEPT_ENCODING',
'HTTP_ACCEPT_LANGUAGE',
'HTTP_CONNECTION',
'HTTP_HOST',
'HTTP_REFERER',
'HTTP_USER_AGENT',
'HTTPS',
'REMOTE_ADDR',
'REMOTE_HOST',
'REMOTE_PORT',
'REMOTE_USER',
'REDIRECT_REMOTE_USER',
'SCRIPT_FILENAME',
'SERVER_ADMIN',
'SERVER_PORT',
'SERVER_SIGNATURE',
'PATH_TRANSLATED',
'SCRIPT_NAME',
'REQUEST_URI',
'PHP_AUTH_DIGEST',
'PHP_AUTH_USER',
'PHP_AUTH_PW',
'AUTH_TYPE',
'PATH_INFO',
'ORIG_PATH_INFO') ;

echo
'<table cellpadding="10">' ;
foreach (
$indicesServer as $arg) {
    if (isset(
$_SERVER[$arg])) {
        echo
'<tr><td>'.$arg.'</td><td>' . $_SERVER[$arg] . '</td></tr>' ;
    }
    else {
        echo
'<tr><td>'.$arg.'</td><td>-</td></tr>' ;
    }
}
echo
'</table>' ;

/*

That will give you the result of each variable like (if the file is server_indices.php at the root and Apache Web directory is in E:\web) :

PHP_SELF    /server_indices.php
argv    -
argc    -
GATEWAY_INTERFACE    CGI/1.1
SERVER_ADDR    127.0.0.1
SERVER_NAME    localhost
SERVER_SOFTWARE    Apache/2.2.22 (Win64) PHP/5.3.13
SERVER_PROTOCOL    HTTP/1.1
REQUEST_METHOD    GET
REQUEST_TIME    1361542579
REQUEST_TIME_FLOAT    -
QUERY_STRING   
DOCUMENT_ROOT    E:/web/
HTTP_ACCEPT    text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
HTTP_ACCEPT_CHARSET    ISO
-8859-1,utf-8;q=0.7,*;q=0.3
HTTP_ACCEPT_ENCODING    gzip
,deflate,sdch
HTTP_ACCEPT_LANGUAGE    fr
-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
HTTP_CONNECTION    keep
-alive
HTTP_HOST    localhost
HTTP_REFERER    http
://localhost/
HTTP_USER_AGENT    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
HTTPS   
-
REMOTE_ADDR    127.0.0.1
REMOTE_HOST   
-
REMOTE_PORT    65037
REMOTE_USER   
-
REDIRECT_REMOTE_USER    -
SCRIPT_FILENAME    E:/web/server_indices.php
SERVER_ADMIN    myemail
@personal.us
SERVER_PORT    80
SERVER_SIGNATURE   
PATH_TRANSLATED   
-
SCRIPT_NAME    /server_indices.php
REQUEST_URI   
/server_indices.php
PHP_AUTH_DIGEST   
-
PHP_AUTH_USER    -
PHP_AUTH_PW    -
AUTH_TYPE    -
PATH_INFO    -
ORIG_PATH_INFO    -

*/
?>
up
88
Vladimir Kornea
9 years ago
1. All elements of the $_SERVER array whose keys begin with 'HTTP_' come from HTTP request headers and are not to be trusted.

2. All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'.

3. $_SERVER['PHP_SELF'] is dangerous if misused. If login.php/nearly_arbitrary_string is requested, $_SERVER['PHP_SELF'] will contain not just login.php, but the entire login.php/nearly_arbitrary_string. If you've printed $_SERVER['PHP_SELF'] as the value of the action attribute of your form tag without performing HTML encoding, an attacker can perform XSS attacks by offering users a link to your site such as this:

<a href='http://www.example.com/login.php/"><script type="text/javascript">...</script><span a="'>Example.com</a>

The javascript block would define an event handler function and bind it to the form's submit event. This event handler would load via an <img> tag an external file, with the submitted username and password as parameters.

Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. HTML encode every string sent to the browser that should not be interpreted as HTML, unless you are absolutely certain that it cannot contain anything that the browser can interpret as HTML.
up
2
ywarnier at beeznest dot org
5 months ago
For 'HTTPS', the note: "Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol." is also true for Nginx + PHP-FPM. It is not empty(), it is set to 'off'.

So, to test it in a portable way, use this rather than "just" empty():

  if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
      // You are sure it's really HTTPS
  }
up
31
Lord Mac
9 years ago
An even *more* improved version...

<?php
phpinfo
(32);
?>
up
6
pierstoval at example dot com
1 year ago
As PHP $_SERVER var is populated with a lot of vars, I think it's important to say that it's also populated with environment vars.

For example, with a PHP script, we can have this:

    MY_ENV_VAR=Hello php -r 'echo $_SERVER["MY_ENV_VAR"];'
   
Will show "Hello".

But, internally, PHP makes sure that "internal" keys in $_SERVER are not overriden, so you wouldn't be able to do something like this:

    REQUEST_TIME=Hello php -r 'var_dump($_SERVER["REQUEST_TIME"]);'
   
Will show something like 1492897785

However, a lot of vars are still vulnerable from environment injection.

I created a gist here ( https://gist.github.com/Pierstoval/f287d3e61252e791a943dd73874ab5ee ) with my PHP configuration on windows with PHP7.0.15 on WSL with bash, the results are that the only "safe" vars are the following:

PHP_SELF
SCRIPT_NAME
SCRIPT_FILENAME
PATH_TRANSLATED
DOCUMENT_ROOT
REQUEST_TIME_FLOAT
REQUEST_TIME
argv
argc

All the rest can be overriden with environment vars, which is not very cool actually because it can break PHP applications sometimes...

(and I only tested on CLI, I had no patience to test with Apache mod_php or Nginx + PHP-FPM, but I can imagine that not a lot of $_SERVER properties are "that" secure...)
up
11
Tom
6 years ago
Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input.
up
11
Tonin
10 years ago
When using the $_SERVER['SERVER_NAME'] variable in an apache virtual host setup with a ServerAlias directive, be sure to check the UseCanonicalName apache directive.  If it is On, this variable will always have the apache ServerName value.  If it is Off, it will have the value given by the headers sent by the browser.

Depending on what you want to do the content of this variable, put in On or Off.
up
5
chris at ocproducts dot com
1 year ago
Guide to URL paths...

Data: $_SERVER['PHP_SELF']
Data type: String
Purpose: The URL path name of the current PHP file, including path-info (see $_SERVER['PATH_INFO']) and excluding URL query string. Includes leading slash.
Caveat: This is after URL rewrites (i.e. it's as seen by PHP, not necessarily the original call URL).
Works on web mode: Yes
Works on CLI mode: Tenuous (emulated to contain just the exact call path of the CLI script, with whatever exotic relative pathname you may call with, not made absolute and not normalised or pre-resolved)

Data: $_SERVER['SCRIPT_NAME']
Data type: String
Purpose: The URL path name of the current PHP file, excluding path-info and excluding URL query string. Includes leading slash.
Caveat: This is after URL rewrites (i.e. it's as seen by PHP, not necessarily the original call URL).
Caveat: Not set on all PHP environments, may need setting via preg_replace('#\.php/.*#', '.php', $_SERVER['PHP_SELF']).
Works on web mode: Yes
Works on CLI mode: Tenuous (emulated to contain just the exact call path of the CLI script, with whatever exotic relative pathname you may call with, not made absolute and not normalised or pre-resolved)

Data: $_SERVER['REDIRECT_URL']
Data type: String
Purpose: The URL path name of the current PHP file, path-info is N/A and excluding URL query string. Includes leading slash.
Caveat: This is before URL rewrites (i.e. it's as per the original call URL).
Caveat: Not set on all PHP environments, and definitely only ones with URL rewrites.
Works on web mode: Yes
Works on CLI mode: No

Data: $_SERVER['REQUEST_URI']
Data type: String
Purpose: The URL path name of the current PHP file, including path-info and including URL query string. Includes leading slash.
Caveat: This is before URL rewrites (i.e. it's as per the original call URL). *
*: I've seen at least one situation where this is not true (there was another $_SERVER variable to use instead supplied by the URL rewriter), but the author of the URL rewriter later fixed it so probably fair to dismiss this particular note.
Caveat: Not set on all PHP environments, may need setting via $_SERVER['REDIRECT_URL'] . '?' . http_build_query($_GET) [if $_SERVER['REDIRECT_URL'] is set, and imperfect as we don't know what GET parameters were originally passed vs which were injected in the URL rewrite] --otherwise-- $_SERVER['PHP_SELF'] . '?' . http_build_query($_GET).
Works on web mode: Yes
Works on CLI mode: No

Data: $_SERVER['PATH_INFO']
Data type: String
Purpose: Find the path-info, which is data after the .php filename in the URL call. It's a strange concept.
Caveat: Some environments may not support it, it is best avoided unless you have complete server control
Works on web mode: Yes
Works on CLI mode: No

Note that if something is not set it may be missing from $_SERVER, or it may be blank, so use PHP's 'empty' function for your test.
up
22
steve at sc-fa dot com
9 years ago
If you are serving from behind a proxy server, you will almost certainly save time by looking at what these $_SERVER variables do on your machine behind the proxy.  

$_SERVER['HTTP_X_FORWARDED_FOR'] in place of $_SERVER['REMOTE_ADDR']

$_SERVER['HTTP_X_FORWARDED_HOST'] and
$_SERVER['HTTP_X_FORWARDED_SERVER'] in place of (at least in our case,) $_SERVER['SERVER_NAME']
up
16
MarkAgius at markagius dot co dot uk
7 years ago
You have missed 'REDIRECT_STATUS'

Very useful if you point all your error pages to the same file.

File; .htaccess
# .htaccess file.

ErrorDocument 404 /error-msg.php
ErrorDocument 500 /error-msg.php
ErrorDocument 400 /error-msg.php
ErrorDocument 401 /error-msg.php
ErrorDocument 403 /error-msg.php
# End of file.

File; error-msg.php
<?php
  $HttpStatus
= $_SERVER["REDIRECT_STATUS"] ;
  if(
$HttpStatus==200) {print "Document has been processed and sent to you.";}
  if(
$HttpStatus==400) {print "Bad HTTP request ";}
  if(
$HttpStatus==401) {print "Unauthorized - Iinvalid password";}
  if(
$HttpStatus==403) {print "Forbidden";}
  if(
$HttpStatus==500) {print "Internal Server Error";}
  if(
$HttpStatus==418) {print "I'm a teapot! - This is a real value, defined in 1998";}

?>
up
9
krinklemail at gmail dot com
6 years ago
If requests to your PHP script send a header "Content-Type" or/ "Content-Length" it will, contrary to regular HTTP headers, not appear in $_SERVER as $_SERVER['HTTP_CONTENT_TYPE']. PHP removes these (per CGI/1.1 specification[1]) from the HTTP_ match group.

They are still accessible, but only if the request was a POST request. When it is, it'll be available as:
$_SERVER['CONTENT_LENGTH']
$_SERVER['CONTENT_TYPE']

[1] https://www.ietf.org/rfc/rfc3875
up
6
pomat at live dot it
5 years ago
$_SERVER['DOCUMENT_ROOT'] may contain backslashes on windows systems, and of course it may or may not have a trailing slash (backslash).
I saw the following as an example of the proper way we're supposed to deal with this issue:

<?php
include(dirname($_SERVER['DOCUMENT_ROOT']) . DIRECTORY_SEPARATOR . 'file.php');
?>

Ok, the latter may be used to access a file inside the parent directory of the document root, but actually does not properly address the issue.
In the end, don't warry about. It should be safe to use forward slashes and append a trailing slash in all cases.
Let's say we have this:

<?php
$path
= 'subdir/file.php';
$result = $_SERVER['DOCUMENT_ROOT'] . '/' . $path;
?>

On linux $result might be something like
1) "/var/www/subdir/file.php"
2) "/var/www//subdir/file.php"
String 2 is parsed the same as string 1 (have a try with command 'cd').

On windows $result might be something like
1) "C:/apache/htdocs/subdir/file.php"
2) "C:/apache/htdocs//subdir/file.php"
3) "C:\apache\htdocs/subdir/file.php"
4) "C:\apache\htdocs\/subdir/file.php"
All those strings are parsed as "C:\apache\htdocs\subdir\file.php" (have a try with 'cd').
up
11
jonbarnett at gmail dot com
10 years ago
It's worth noting that $_SERVER variables get created for any HTTP request headers, including those you might invent:

If the browser sends an HTTP request header of:
X-Debug-Custom: some string

Then:

<?php
$_SERVER
['HTTP_X_DEBUG_CUSTOM']; // "some string"
?>

There are better ways to identify the HTTP request headers sent by the browser, but this is convenient if you know what to expect from, for example, an AJAX script with custom headers.

Works in PHP5 on Apache with mod_php.  Don't know if this is true from other environments.
up
3
ywarnier at beeznest dot org
1 year ago
Note that $_SERVER['REQUEST_URI'] might include the scheme and domain in certain cases.

This happens, for example, when calling the page through a call to stream_context_create() with a HTTP header of 'request_fulluri' set to 1.

For example:

$http = ['request_fulluri' => 1, /* other params here */];
$context = stream_context_create(array( 'http' => $http ));
$fp = fopen($some_url, 'rb', false, $context);

When outputting $_SERVER['REQUEST_URI'] on the server at $some_url, you will get
https://some_url/some_script.php

Remove the request_fulluri => 1 option, and $_SERVER['REQUEST_URI'] gets back to its "normal":
/some_script.php

Apparently, request_fulluri is useful when using some proxy servers.

In this case, there is no proper way to "detect" if this option was set or not, and you should probably use a combination of other $_SERVER[] elements (like REQUEST_SCHEME, SERVER_NAME and SERVER_PORT) to determine if this was the case.

One quick (and improvable) way to detect it would be to compare the start of the REQUEST_URI with REQUEST_SCHEME:

$scheme = $_SERVER['REQUEST_SCHEME'] . '://';
if (strcmp(substr($_SERVER['REQUEST_URI'], 0, strlen($scheme)), $scheme) === 0) {
    // request_fulluri was set
}
up
11
mirko dot steiner at slashdevslashnull dot de
9 years ago
<?php

// RFC 2616 compatible Accept Language Parser
// http://www.ietf.org/rfc/rfc2616.txt, 14.4 Accept-Language, Page 104
// Hypertext Transfer Protocol -- HTTP/1.1

foreach (explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) {
   
$pattern = '/^(?P<primarytag>[a-zA-Z]{2,8})'.
   
'(?:-(?P<subtag>[a-zA-Z]{2,8}))?(?:(?:;q=)'.
   
'(?P<quantifier>\d\.\d))?$/';

   
$splits = array();

   
printf("Lang:,,%s''\n", $lang);
    if (
preg_match($pattern, $lang, $splits)) {
       
print_r($splits);
    } else {
        echo
"\nno match\n";
    }
}

?>

example output:

Google Chrome 3.0.195.27 Windows xp

Lang:,,de-DE''
Array
(
    [0] => de-DE
    [primarytag] => de
    [1] => de
    [subtag] => DE
    [2] => DE
)
Lang:,,de;q=0.8''
Array
(
    [0] => de;q=0.8
    [primarytag] => de
    [1] => de
    [subtag] =>
    [2] =>
    [quantifier] => 0.8
    [3] => 0.8
)
Lang:,,en-US;q=0.6''
Array
(
    [0] => en-US;q=0.6
    [primarytag] => en
    [1] => en
    [subtag] => US
    [2] => US
    [quantifier] => 0.6
    [3] => 0.6
)
Lang:,,en;q=0.4''
Array
(
    [0] => en;q=0.4
    [primarytag] => en
    [1] => en
    [subtag] =>
    [2] =>
    [quantifier] => 0.4
    [3] => 0.4
)
up
9
rulerof at gmail dot com
8 years ago
I needed to get the full base directory of my script local to my webserver, IIS 7 on Windows 2008.

I ended up using this:

<?php
function GetBasePath() {
    return
substr($_SERVER['SCRIPT_FILENAME'], 0, strlen($_SERVER['SCRIPT_FILENAME']) - strlen(strrchr($_SERVER['SCRIPT_FILENAME'], "\\")));
}
?>

And it returned C:\inetpub\wwwroot\<applicationfolder> as I had hoped.
up
9
Richard York
9 years ago
Not documented here is the fact that $_SERVER is populated with some pretty useful information when accessing PHP via the shell.

["_SERVER"]=>
  array(24) {
    ["MANPATH"]=>
    string(48) "/usr/share/man:/usr/local/share/man:/usr/X11/man"
    ["TERM"]=>
    string(11) "xterm-color"
    ["SHELL"]=>
    string(9) "/bin/bash"
    ["SSH_CLIENT"]=>
    string(20) "127.0.0.1 41242 22"
    ["OLDPWD"]=>
    string(60) "/Library/WebServer/Domains/www.example.com/private"
    ["SSH_TTY"]=>
    string(12) "/dev/ttys000"
    ["USER"]=>
    string(5) "username"
    ["MAIL"]=>
    string(15) "/var/mail/username"
    ["PATH"]=>
    string(57) "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin"
    ["PWD"]=>
    string(56) "/Library/WebServer/Domains/www.example.com/www"
    ["SHLVL"]=>
    string(1) "1"
    ["HOME"]=>
    string(12) "/Users/username"
    ["LOGNAME"]=>
    string(5) "username"
    ["SSH_CONNECTION"]=>
    string(31) "127.0.0.1 41242 10.0.0.1 22"
    ["_"]=>
    string(12) "/usr/bin/php"
    ["__CF_USER_TEXT_ENCODING"]=>
    string(9) "0x1F5:0:0"
    ["PHP_SELF"]=>
    string(10) "Shell.php"
    ["SCRIPT_NAME"]=>
    string(10) "Shell.php"
    ["SCRIPT_FILENAME"]=>
    string(10) "Shell.php"
    ["PATH_TRANSLATED"]=>
    string(10) "Shell.php"
    ["DOCUMENT_ROOT"]=>
    string(0) ""
    ["REQUEST_TIME"]=>
    int(1247162183)
    ["argv"]=>
    array(1) {
      [0]=>
      string(10) "Shell.php"
    }
    ["argc"]=>
    int(1)
  }
up
3
plugwash at p10link dot net
3 years ago
Be aware that it's a bad idea to access x-forwarded-for and similar headers through this array. The header names are mangled when populating the array and this mangling can introduce spoofing vulnerabilities.

See http://en.wikipedia.org/wiki/User:Brion_VIBBER/Cool_Cat_incident_report for details of a real world exploit of this.
up
8
chris
9 years ago
A table of everything in the $_SERVER array can be found near the bottom of the output of phpinfo();
up
4
php at isnoop dot net
8 years ago
Use the apache SetEnv directive to set arbitrary $_SERVER variables in your vhost or apache config.

SetEnv varname "variable value"
up
3
Stefano (info at sarchittu dot org)
8 years ago
A way to get the absolute path of your page, independent from the site position (so works both on local machine and on server without setting anything) and from the server OS (works both on Unix systems and Windows systems).

The only parameter it requires is the folder in which you place this script
So, for istance, I'll place this into my SCRIPT folder, and I'll write SCRIPT word length in $conflen

<?php
$conflen
=strlen('SCRIPT');
$B=substr(__FILE__,0,strrpos(__FILE__,'/'));
$A=substr($_SERVER['DOCUMENT_ROOT'], strrpos($_SERVER['DOCUMENT_ROOT'], $_SERVER['PHP_SELF']));
$C=substr($B,strlen($A));
$posconf=strlen($C)-$conflen-1;
$D=substr($C,1,$posconf);
$host='http://'.$_SERVER['SERVER_NAME'].'/'.$D;
?>

$host will finally contain the absolute path.
up
1
chris at ocproducts dot com
1 year ago
Guide to absolute paths...

Data: __FILE__
Data type: String
Purpose: The absolute pathname of the running PHP file, including the filename.
Caveat: This is not the file called by the PHP processor, it's what is running. So if you are inside an include, it's the include.
Caveat: Symbolic links are pre-resolved, so don't trust comparison of paths to be accurate.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: Yes

Data: __DIR__
Data type: String
Purpose: The absolute pathname to the running PHP file, excluding the filename
Caveat: This is not the file called by the PHP processor, it's what is running. So if you are inside an include, it's the include.
Caveat: Symbolic links are pre-resolved, so don't trust comparison of paths to be accurate.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: Yes

Data: $_SERVER['SCRIPT_FILENAME']
Data type: String
Purpose: The absolute pathname of the origin PHP file, including the filename
Caveat: Not set on all PHP environments, may need setting by copying from __FILE__ before other files are included.
Caveat: Symbolic links are not pre-resolved, use PHP's 'realpath' function if you need it resolved.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Caveat: "Filename" makes you think it is just a filename, but it really is the full absolute pathname. Read the identifier as "Script's filesystem (path)name".
Works on web mode: Yes
Works on CLI mode: Yes

Data: $_SERVER['PATH_TRANSLATED']
Data type: String
Purpose: The absolute pathname of the origin PHP file, including the filename
Caveat: It's probably not set, best to just not use it. Just use realpath($_SERVER['SCRIPT_FILENAME']) (and be aware that itself may need to have been emulated).
Caveat: Symbolic links are pre-resolved, so don't trust comparison of paths to be accurate.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: No

Data: $_SERVER['DOCUMENT_ROOT']
Data type: String
Purpose: Get the absolute path to the web server's document root. No trailing slash.
Caveat: Don't trust this to be set, or set correctly, unless you control the server environment.
Caveat: May or may not have symbolic links pre-resolved, use PHP's 'realpath' function if you need it resolved.
Caveat: Don't assume all operating systems use '/' for the directory separator.
Works on web mode: Yes
Works on CLI mode: No

Note that if something is not set it may be missing from $_SERVER, or it may be blank, so use PHP's 'empty' function for your test.

Note that if you call "php --info" on the command line then naturally some of these settings are going to be blank, as no PHP file is involved.
up
4
jette at nerdgirl dot dk
10 years ago
Windows running IIS v6 does not include $_SERVER['SERVER_ADDR']

If you need to get the IP addresse, use this instead:

<?php
$ipAddress
= gethostbyname($_SERVER['SERVER_NAME']);
?>
up
3
jarrod at squarecrow dot com
9 years ago
$_SERVER['DOCUMENT_ROOT'] is incredibly useful especially when working in your development environment. If you're working on large projects you'll likely be including a large number of files into your pages. For example:

<?php
//Defines constants to use for "include" URLS - helps keep our paths clean

       
define("REGISTRY_CLASSES"$_SERVER['DOCUMENT_ROOT']."/SOAP/classes/");
       
define("REGISTRY_CONTROLS", $_SERVER['DOCUMENT_ROOT']."/SOAP/controls/");

       
define("STRING_BUILDER",     REGISTRY_CLASSES. "stringbuilder.php");
       
define("SESSION_MANAGER",     REGISTRY_CLASSES. "sessionmanager.php");
       
define("STANDARD_CONTROLS",    REGISTRY_CONTROLS."standardcontrols.php");
?>

In development environments, you're rarely working with your root folder, especially if you're running PHP locally on your box and using DOCUMENT_ROOT is a great way to maintain URL conformity. This will save you hours of work preparing your application for deployment from your box to a production server (not to mention save you the headache of include path failures).
up
3
wbeaumo1 at gmail dot com
8 years ago
Don't forget $_SERVER['HTTP_COOKIE']. It contains the raw value of the 'Cookie' header sent by the user agent.
up
3
pudding06 at gmail dot com
9 years ago
Here's a simple, quick but effective way to block unwanted external visitors to your local server:

<?php
// only local requests
if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') die(header("Location: /"));
?>

This will direct all external traffic to your home page. Of course you could send a 404 or other custom error. Best practice is not to stay on the page with a custom error message as you acknowledge that the page does exist. That's why I redirect unwanted calls to (for example) phpmyadmin.
up
1
wyattstorch42 at outlook dot com
5 years ago
<?php
/*
* I wrote this because I was including a file with classes in it. Let's say that
* I have a contact page at mysite.com/contact/index.php and a Form class at
* mysite.com/classes/Form.php. So in index.php, I have this statement:
* require '../classes/Form.php';
* The Form class includes a method to generate the HTML markup for a number of
* form elements, including a CAPTCHA image and associated text field. To do so,
* it must generate an <img /> element and give it a src of Form.php?captcha.
* But I wanted it to automatically generate a src attribute without index.php
* giving it a relative path. This script comes in handy by automatically
* locating the directory that contains the included file (Form.php) and converting
* it from an absolute path to a relative path that could be used for an img src,
* an a href, a link href, etc.
*/
function relativeURL () {
   
$dir = str_replace('\\', '/', __DIR__);
       
// Resolves inconsistency with PATH_SEPARATOR on Windows vs. Linux
        // Use dirname(__FILE__) in place of __DIR__ for older PHP versions
   
return substr($dir, strlen($_SERVER['DOCUMENT_ROOT']));
       
// Clip off the part of the path outside of the document root
}

/*
*contact/index.php
*/
require '../classes/Form.php';
new
Form()->drawCaptchaField();
   
// Writes: <img src="/classes/Form.php?captcha" />

   
/*
* classes/Form.php
*/
if (isset($_GET['captcha'])) {
   
// generate/return CAPTCHA image
}

class
Form {
   
// ...
   
public function drawCaptchaField () {
        echo
'<img src="'.relativeURL().'?captcha" />';
    }
}
?>
up
0
lilJoshu
1 month ago
Remember,

Although $_SERVER["REQUEST_METHOD"] is initially built with GET, POST, PUT, HEAD in mind, a server can allow more.

This may be important if you're building a RESTful interfaces that will also use methods such as PATCH and DELETE.

Also important as a security risk as a possible point of injection. In the event of building something acting based on REQUEST_METHOD, it's recommended to put it in a switch statement.

<?php
switch ($_SERVER["REQUEST_METHOD"]){
   case
"PUT":
      
foo_replace_data();
       break;
   case
"POST":
      
foo_add_data();
       break;
   case
"HEAD";
      
foo_set_that_cookie();
       break;
   case
"GET":
   default:
     
foo_fetch_stuff()
      break;
}

?>
up
0
razvan_bc at yahoo dot com
2 months ago
In 2018 things can be pretty cool !!!
look around:

<?php
//save it index.php in a root folder

/*
    if($_SERVER["REQUEST_METHOD"]!='GET'){
        echo('it`s a POST');
    }else{   
        echo('it`s a GET');
    }
*/

$_REQ =& $_SERVER["REQUEST_METHOD"];
(
$_REQ=='POST')and($what='it`s a POST');
(
$_REQ=='GET')and($what='it`s a GET');
isset(
$what) and print($what);

?>
<form method="POST" action="">
<input type="text" name="postbaby" value="sadasdsa">
<input type="submit" value="POST THAT">
</form>
<br>
<form method="GET" action="">
<input type="text" name="getbaby" value="sadasdsa">
<input type="submit" value="GET THAT">
</form>
<hr><?php
phpinfo
();
?>

what if you have a class with controllers?
i hope will not be depreciated cause STATIC CALLS I TEST ALREADY ARE VERY FAST:

<?php
//save it index.php in a root folder

/*
    if($_SERVER["REQUEST_METHOD"]!='GET'){
        echo('it`s a POST');
    }else{   
        echo('it`s a GET');
    }
*/
class forms {
    public static function
type(){
        return
$_SERVER["REQUEST_METHOD"];
    }
    public static function
post($f){
        (
self::type()=='POST')and $f();
    }
   
    public static function
get($f){
        (
self::type()=='GET')and $f();
    }
}

?>
<form method="POST" action="">
<input type="text" name="postbaby" value="sadasdsa">
<input type="submit" value="POST THAT">
</form>
<br>
<form method="GET" action="">
<input type="text" name="getbaby" value="sadasdsa">
<input type="submit" value="GET THAT">
</form>
<hr><?php
forms
::post(function(){
   
$what='it`s a POST';echo($what);
});

forms::get(function(){
   
$what='it`s a GET';echo($what);
});
//phpinfo();
?>
up
2
info at mtprod dot com
9 years ago
On Windows IIS 7 you must use $_SERVER['LOCAL_ADDR'] rather than $_SERVER['SERVER_ADDR'] to get the server's IP address.
up
1
jit_chavan at yahoo dot com
4 years ago
searched $_SERVER["REDIRECT_URL"] for a while and noted that it is not mentioned in php documentation page itself. look like this is only generated by apache server(not others) and using   $_SERVER["REQUEST_URI"] will be useful in some cases as mine.
up
0
bilgus at bilgus dot com
1 year ago
I liked pulling the names and values directly from the $_SERVER array better than naming all arguments

<?php
echo '<table cellpadding="10">' ;
foreach(
$_SERVER as $paramName => $varServer) {
    if (isset(
$_SERVER[$paramName])) {
       
ob_start();
       
var_dump($varServer);
       
$varDump = ob_get_clean();
        echo
'<tr><td>'.$paramName.'</td><td>'.$varDump.'</td></tr>' ;
    }
    else {
        echo
'<tr><td>'.$paramName.'</td><td>-</td></tr>' ;
    }
}
echo
'</table>' ;
up
1
picov at e-link dot it
7 years ago
A simple function to detect if the current page address was rewritten by mod_rewrite:

<?php
public function urlWasRewritten() {
 
$realScriptName=$_SERVER['SCRIPT_NAME'];
 
$virtualScriptName=reset(explode("?", $_SERVER['REQUEST_URI']));
  return !(
$realScriptName==$virtualScriptName);
}
?>
up
-2
centurianii at yahoo dot co dot uk
1 year ago
If you apply redirection in ALL your requests using commands at the Apache virtual host file like:
RewriteEngine On
RewriteCond "%{REQUEST_URI}" "!=/index.php"
RewriteRule "^/(.*)$" "index.php?$1" [NC,NE,L,QSA]
you should expect some deviations in your $_SERVER global.

Say, you send a url of: [hostname here]/a/b?x=1&y=2
which makes Apache to modify to: /index.php?/a/b?x=1&y=2

Now your $_SERVER global contains among others:
'REQUEST_URI' => '/a/b?x=1&y=2', it retains the initial url after the host
'QUERY_STRING' => 'a/b&x=1&y=2', notice how php replaces '?' with '&'
'SCRIPT_NAME' => '/index.php', as it was intended to be.

To test your $_SERVER global:
function serverArray(){
   $arr = array();
   foreach($_SERVER as $key=>$value)
      $arr[] = '&nbsp;&nbsp;&nbsp;\'' . $key . '\' => \'' . (isset($value)? $value : '-') . '\'';
   return @\sort($arr)? '$_SERVER = array(<br />' . implode($arr, ',<br />') . '<br />);' : false;
}
echo serverArray();
up
1
silverquick at gmail dot com
10 years ago
I think the HTTPS element will only be present under Apache 2.x. It's not in the list of "special" variables here:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteCond
But it is here:
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond
up
0
dtomasiewicz at gmail dot com
8 years ago
To get an associative array of HTTP request headers formatted similarly to get_headers(), this will do the trick:

<?php
/**
* Transforms $_SERVER HTTP headers into a nice associative array. For example:
*   array(
*       'Referer' => 'example.com',
*       'X-Requested-With' => 'XMLHttpRequest'
*   )
*/
function get_request_headers() {
   
$headers = array();
    foreach(
$_SERVER as $key => $value) {
        if(
strpos($key, 'HTTP_') === 0) {
           
$headers[str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))))] = $value;
        }
    }
    return
$headers;
}
?>
up
-1
answer at question dot forever
3 years ago
I'm lazy but rigorous:
<?php
while (list($var,$value) = each ($_SERVER)) {
echo
$var." Val:".$value."<br />";
}
<
a href="https://blog.sinatranetwork.com/2011/07/20/php-how-to-print-all-_server-variables/">Thank you sir!</a>
?>
up
-1
chris at ocproducts dot com
1 year ago
Guide to script parameters...

Data: $_GET
Data type: Array (map)
Purpose: Contains all GET parameters (i.e. a parsed URL query string).
Caveat: GET parameter names have to be compliant with PHP variable naming, e.g. dots are not allowed and get substituted.
Works on web mode: Yes
Works on CLI mode: No

Data: $_SERVER['QUERY_STRING']
Data type: String
Purpose: Gets an unparsed URL query string.
Caveat: Not set on all PHP environments, may need setting via http_build_query($_GET).
Works on web mode: Yes
Works on CLI mode: No

Data: $_SERVER['argv']
Data type: Array (list)
Purpose: Get CLI call parameters.
Works on web mode: Tenuous (just contains a single parameter, the query string)
Works on CLI mode: Yes
up
-1
2962051004 at qq dot com
9 months ago
<?php
/*
Sometimes you will find that your website will not get the correct user IP after adding CDN, then this function will help you
*/
function real_ip()
{
  
$ip = $_SERVER['REMOTE_ADDR'];
    if (isset(
$_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match_all('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches)) {
        foreach (
$matches[0] AS $xip) {
            if (!
preg_match('#^(10|172\.16|192\.168)\.#', $xip)) {
               
$ip = $xip;
                break;
            }
        }
    } elseif (isset(
$_SERVER['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CLIENT_IP'])) {
       
$ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (isset(
$_SERVER['HTTP_CF_CONNECTING_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CF_CONNECTING_IP'])) {
       
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
    } elseif (isset(
$_SERVER['HTTP_X_REAL_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_X_REAL_IP'])) {
       
$ip = $_SERVER['HTTP_X_REAL_IP'];
    }
    return
$ip;

}
echo
real_ip();

?>
up
-1
cupy at email dot cz
9 years ago
Tech note:
$_SERVER['argc'] and $_SERVER['argv'][] has some funny behaviour,
used from linux (bash) commandline, when called like
"php ./script_name.php 0x020B"
there is everything correct, but
"./script_name.php 0x020B"
is not correct - "0" is passed instead of "0x020B" as $_SERVER['argv'][1] - see the script below.
Looks like the parameter is not passed well from bash to PHP.
(but, inspected on the level of bash, 0x020B is understood well as $1)

try this example:

------------->8------------------
cat ./script_name.php
#! /usr/bin/php

if( $_SERVER['argc'] == 2)
  {
    // funny... we have to do this trick to pass e.g. 0x020B from parameters
    // ignore this: "PHP Notice:  Undefined offset:  2 in ..."
    $EID = $_SERVER['argv'][1] + $_SERVER['argv'][2] + $_SERVER['argv'][3];
  }
else
   {        // default
     $EID = 0x0210; // PPS failure
   }
up
-2
dii3g0
6 years ago
Proccess path_info

<?php
function get_path_info()
{
    if( !
array_key_exists('PATH_INFO', $_SERVER) )
    {
       
$pos = strpos($_SERVER['REQUEST_URI'], $_SERVER['QUERY_STRING']);
   
       
$asd = substr($_SERVER['REQUEST_URI'], 0, $pos - 2);
       
$asd = substr($asd, strlen($_SERVER['SCRIPT_NAME']) + 1);
       
        return
$asd;   
    }
    else
    {
        return
trim($_SERVER['PATH_INFO'], '/');
    }
}
up
-1
geoffrey dot hoffman at gmail dot com
10 years ago
If you are looking at $_SERVER['HTTP_USER_AGENT'] to determine whether your user is on a mobile device, you may want to visit these resources:

http://wurfl.sourceforge.net/

http://www.zytrax.com/tech/web/mobile_ids.html
up
-2
admin at NOSpAM dot sinfocol dot org
8 years ago
I was testing with the $_SERVER variable and some request method, and I found that with apache I can put an arbitrary method.

For example, I have an script called "server.php" in my example webpage with the next code:

<?php
echo $_SERVER['REQUEST_METHOD'];
?>

And I made this request:
c:\>nc -vv www.example.com 80
example.com [x.x.x.x] 80 (http) open
ArbitratyMethod /server.php HTTP/1.1
Host: wow.sinfocol.org
Connection: Close

The response of the server is the next:
HTTP/1.1 200 OK
Date: Fri, 15 Jan 2010 05:14:09 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

ArbitratyMethod

So, be carefully when include the $_SERVER['REQUEST_METHOD'] in any script, this kind of "bug" is old and could be dangerous.
up
-2
jeff at example dot com
10 years ago
Note that, in Apache 2, the server settings will affect the variables available in $_SERVER. For example, if you are using SSL, the following directive will dump SSL-related status information, along with the server certificate and client certificate (if present) into the $_SERVER variables:

SSLOptions +StdEnvVars +ExportCertData
up
-2
doublecompile at gmail dot com
3 years ago
I've used the SplPriorityQueue to determine an HTTP client's preferred MIME types that are in $_SERVER['HTTP_ACCEPT'].

<?php
$queue
= new \SplPriorityQueue();
foreach (
preg_split('#,\s*#', $_SERVER['HTTP_ACCEPT']) as $accept) {
   
$split = preg_split('#;\s*q=#', $accept, 2);
   
$queue->insert($split[0], isset($split[1]) ? (float)$split[1] : 1.0);
}
foreach (
$queue as $mime) {
    echo
$mime, PHP_EOL;
}
?>

My browser sends:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

And this script outputs:
text/html
application/xhtml+xml
application/xml
*/*

A better example:
Accept: text/html, application/xml,text/css;q=0.4,text/plain; q=0.9, application/json;q=0.8

And this script outputs:
text/html
application/xml
text/plain
application/json
text/css
up
-4
Josh Fremer
7 years ago
HTTPS

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

=-=-=

To clarify this, the value is the string "off", so a specific non-empty value rather than an empty value as in Apache.
up
-6
Dean Jenkins
5 years ago
To get the name and web path of the current script

<?php
$scriptname
=end(explode('/',$_SERVER['PHP_SELF']));
$scriptpath=str_replace($scriptname,'',$_SERVER['PHP_SELF']);
?>
up
-7
Megan Mickelson
8 years ago
It makes sense to want to paste the $_SERVER['REQUEST_URI'] on to a page (like on a footer), but be sure to clean it up first with htmlspecialchars() otherwise it poses a cross-site scripting vulnerability.

htmlspecialchars($_SERVER['REQUEST_URI']);

e.g.
http://www.example.com/foo?<script>...

becomes
http://www.example.com/foo?&lt;script&gt;...
up
-5
office at peername dot com
3 years ago
Keep in mind that if the user is using proxy server (like PAC), REQUEST_URI will include the full request URL like http://example.com/path/
up
-6
Gary Mathis
4 years ago
The best way to see all variables within the $_SERVER array, that I have found, is as follows:

<?php
foreach($_SERVER as $key => $value){
echo
'$_SERVER["'.$key.'"] = '.$value."<br />";
}
?>

This will tell you which ones are available on your server and what they are set to.
up
-8
sendmailz1987 at gmail dot com
5 years ago
Example:

$current = $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];

echo $current;

will output the root to the current page, including url and document root, something like:

example.com/users/profile.php
up
-10
Andrew B
10 years ago
Please note on Windows/IIS - the variable 'USER_AUTH' will return the username/identity of the user accessing the page, i.e. if anonymous access is off, you would normally get back "$domain\$username".
up
-9
sabas88 at gmail dot com
5 years ago
I'm the author of this note
http://www.php.net/manual/en/reserved.variables.server.php#100881

I optimized since that note the path function, basically added detection of windows slashes and a partial option

Now is released on github

https://github.com/sabas/magicpath
up
-11
kamazee at gmail dot com
8 years ago
$_SERVER['DOCUMENT_ROOT'] in different environments may has trailing slash or not, so be careful when including files from $_SERVER['DOCUMENT_ROOT']:
<?php
include(dirname($_SERVER['DOCUMENT_ROOT']) . DIRECTORY_SEPARATOR . 'file.php')
?>
up
-11
info at salientdigital dot com
4 years ago
A word of caution...

If you have some PHP code or file that is included from within a web request via Apache + PHP, as well as from a command line script, be very careful to inspect the keys inside of $_SERVER that you intend to use.

The keys and values are different, and in fact, it also matters if you are running as your_user, sudo php from your_user, or from root.

For example, I just found out that $_SERVER['PWD'] is not available if you run from the command line via sudo (PHP 5.2x, CentOS, YMMV).

To make a test, create a file called server.php with the following content:

<?php
var_dump
($_SERVER);
?>

Then from the commandline:
your_account/dir #$ php server.php > your_account_server.txt
your_account/dir #$ sudo php server.php > your_account_sudo_server.txt
your_account/dir #$ sudo bash
root/dir #$ php server.php > root_server.txt

Now you can diff the output of each of these three files and inspect against what you get when viewing the $_SERVER section of phpinfo() from a web request. You may find the differences to be quite striking, in all, four different ways to run the same PHP file!
up
-10
Taomyn
10 years ago
'HTTPS'
    Set to a non-empty value if the script was queried through the HTTPS protocol. Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

Does the same for IIS7 running PHP as a Fast-CGI application.
up
-10
softontherocks at gmail dot com
4 years ago
I want to share with you a full function to get the remote IP that calls a PHP url using the $_SERVER array.

function getRealIP(){
 if( $_SERVER['HTTP_X_FORWARDED_FOR'] != '' ){
  $client_ip =
   ( !empty($_SERVER['REMOTE_ADDR']) ) ?
    $_SERVER['REMOTE_ADDR']
   :
            ( ( !empty($_ENV['REMOTE_ADDR']) ) ?
    $_ENV['REMOTE_ADDR']
    :
    "unknown" );
 
  $entries = split('[, ]', $_SERVER['HTTP_X_FORWARDED_FOR']);
 
  reset($entries);
  while (list(, $entry) = each($entries)){
   $entry = trim($entry);
   if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) ){
    // http://www.faqs.org/rfcs/rfc1918.html
    $private_ip = array(
     '/^0\./',
     '/^127\.0\.0\.1/',
     '/^192\.168\..*/',
     '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/',
     '/^10\..*/');
 
    $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
 
    if ($client_ip != $found_ip){
     $client_ip = $found_ip;
     break;
    }
   }
  }
 } else {
  $client_ip =
   ( !empty($_SERVER['REMOTE_ADDR']) ) ?
    $_SERVER['REMOTE_ADDR']
   :
    ( ( !empty($_ENV['REMOTE_ADDR']) ) ?
    $_ENV['REMOTE_ADDR']
    :
    "unknown" );
 }
 return $client_ip;
}

This function was found in http://softontherocks.blogspot.com/2013/07/obtener-la-direccion-ip-que-solicita.html
up
-17
Rodolfo Gonzalez Costa Rica
4 years ago
This is a short script to know what values are defined

<?php

echo "<textarea>";
print_r($_SERVER);
echo
"</textarea>";

?>
up
-13
emailfire at gmail dot com
10 years ago
REQUEST_URI is useful, but if you want to get just the file name use:

<?php
$this_page
= basename($_SERVER['REQUEST_URI']);
if (
strpos($this_page, "?") !== false) $this_page = reset(explode("?", $this_page));
?>
up
-16
dragon[dot]dionysius[at]gmail[dot]com
9 years ago
I've updated the function of my previous poster and putted it into my class.

<?php
   
/**
     * Checking HTTP-Header for language
     * needed for various system classes
     *
     * @return    boolean    true/false
     */
   
private function _checkClientLanguage()
    {   
       
$langcode = (!empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '';
       
$langcode = (!empty($langcode)) ? explode(";", $langcode) : $langcode;
       
$langcode = (!empty($langcode['0'])) ? explode(",", $langcode['0']) : $langcode;
       
$langcode = (!empty($langcode['0'])) ? explode("-", $langcode['0']) : $langcode;
        return
$langcode['0'];
    }
?>

Please note, you have to check additional the result! Because the header may be missing or another possible thing, it is malformed. So check the result with a list with languages you support and perhaps you have to load a default language.

<?php

// if result isn't one of my defined languages
           
if(!in_array($lang, $language_list)) {
               
$lang = $language_default; // load default

?>

My HTTP_ACCEPT_LANGUAGE string:
FF3: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
IE7: de-ch

So, take care of it!
up
-19
Anonymous
8 years ago
Use Strict-Transport-Security (STS) to force the use of SSL.
<?php
$use_sts
= TRUE;

if (
$use_sts && isset($_SERVER['HTTPS']) {
 
header('Strict-Transport-Security: max-age=500');
} elseif (
$use_sts && !isset($_SERVER['HTTPS']) {
 
header('Status-Code: 301');
 
header('Location: https://'.$_SERVER["HTTP_HOST"].$_SERVER['REQUEST_URI']);
}
?>
up
-5
joerg dot reinholz at fastix dot org
3 years ago
On a few of servers (e.g, Strato AG Germany, shared hosting)  $_SERVER["DOCUMENT_ROOT"] follow symlinks (while so configured by admins)

This is a problem while __DIR__ give the realpath.  Try the error with this small script inside of  DOCUMENT_ROOT:

<?php
header
('Content-type: text/plain');
echo
'__DIR__                            : ', __DIR__ , "\n";
echo
'$_SERVER["DOCUMENT_ROOT"]          : ', $_SERVER["DOCUMENT_ROOT"] , "\n";
echo
'realpath($_SERVER["DOCUMENT_ROOT"]): ', realpath($_SERVER["DOCUMENT_ROOT"]), "\n";

## file 'include_me.php'

# Exit, wenn in document_root, weil dann Sicherheitsproblem auftreten kann:
if (-1 < strpos(__DIR__, $_SERVER["DOCUMENT_ROOT"]) ) {
   
trigger_error('Fatal: '. __FILE__
        
. ' darf nicht in oder unterhalb von DOCUMENT_ROOT ('
        
. $_SERVER["DOCUMENT_ROOT"] . ') liegen!', E_USER_ERROR);
    exit;
}
?>
This will never trigger the error!

Use better:
<?php
header
('Content-type: text/plain');
echo
'__DIR__                            : ', __DIR__ , "\n";
echo
'$_SERVER["DOCUMENT_ROOT"]          : ', $_SERVER["DOCUMENT_ROOT"] , "\n";
echo
'realpath($_SERVER["DOCUMENT_ROOT"]): ', realpath($_SERVER["DOCUMENT_ROOT"]), "\n";

## file 'include_me.php'

# Exit, wenn in document_root, weil dann Sicherheitsproblem auftreten kann:
if (-1 < strpos(__DIR__, $_SERVER["DOCUMENT_ROOT"]) ) {
   
trigger_error('Fatal: '. __FILE__
        
. ' darf nicht in oder unterhalb von DOCUMENT_ROOT ('
        
. $_SERVER["DOCUMENT_ROOT"] . ') liegen!', E_USER_ERROR);
    exit;
}
?>
up
-25
Thomas Urban
10 years ago
Maybe you're missing information on $_SERVER['CONTENT_TYPE'] or $_SERVER['CONTENT_LENGTH'] as I did. On POST-requests these are available in addition to those listed above.
up
-22
derniereclasse at gmail dot com
4 years ago
About $_SERVER['REQUEST_METHOD']
return one of this values :
'GET', 'HEAD', 'POST', 'PUT'. 
but can also return :
'OPTION'
up
-4
Luigi
1 year ago
Hey guys, I by far have very little experience. I'm looking to enable SERVER_NAME value on my VPS. How do I go about? Thanks!
up
-30
LOL
6 years ago
For an hosting that use windows I have used this script to make REQUEST_URI to be correctly setted on IIS
<?php
function request_URI() {
    if(!isset(
$_SERVER['REQUEST_URI'])) {
       
$_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'];
        if(
$_SERVER['QUERY_STRING']) {
           
$_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
        }
    }
    return
$_SERVER['REQUEST_URI'];
}
$_SERVER['REQUEST_URI'] = request_URI();
?>
up
-3
nomail at example dot com
2 months ago
What about this one ?
<?php
$_SERVER
["SCRIPT_URI"];
?>
up
-10
camadmin@CAMserver
1 year ago
You can try: a) save this script into .php file (global_server.php, by example)
<?php
foreach ($_SERVER as $key => $value) {
   echo
"$key <pre> $value </pre>";
   echo
"<br>";
}
?>
b) on Linux console, execute: php global_server.php > global_server.html
c) edit global_server.html and adds the missing tags "html" and "body". Save the changes.
d) view the contents by http://localhost/global_server.html
To Top