Security: Don’t blindly trust $_SERVER variables

Article one: Chris Shiflett: SERVER_NAME Versus HTTP_HOST
Article two: Sean Coates: XSS Woes

I thought both were quite insightful, though Sean’s stands-out more because PHP_SELF is used so often (be sure to check-out his phpinfo(); example at the end of the post). One method, as he explained, is to put the $_SERVER[‘PHP_SELF’] variable into htmlentities() so at least you aren’t potentially echoing dangerous output.

Heed Chris’s advice: treat $_SERVER variable just as you would $_GET and $_POST – all have the potential to be tainted.

Leave a comment

Hey there! Come check out all-new content at my new mistercameron.com!