| Re: When is it possible for $_SERVER['SERVER_NAME'] to contain something other than the URL which actvated the script? [message #179856 is a reply to message #179839] |
Wed, 12 December 2012 13:10   |
Tony Marston
Messages: 57
Registered: November 2010
Karma:
|
Member |
|
|
"M. Strobel" wrote in message news:aip563Ft79lU1(at)mid(dot)uni-berlin(dot)de...
>
> Am 11.12.2012 11:53, schrieb Tony Marston:
>> I always understood than when activated through a web browser that
>> $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] identified the domain
>> name under
>> which the script was being run, but I have come across some instances
>> where both
>> SERVER_NAME and HTTP_HOST appear to be spoofed, and I wondered if this is
>> legitimate
>> or not.
>>
>> I have an application which exists on a live server and a test server,
>> with a
>> different database for each, and they both share a common config file
>> which
>> identifies which server it is running on so that it can use the relevant
>> database
>> credentials. If the server name does not match either of the live or test
>> domain
>> names (such as mydomain.com and test.mydomain.com) then it uses invalid
>> credentials
>> which causes an error when attempting to access the database. I never
>> though that
>> this error would ever appear, but lately I have been getting errors such
>> as the
>> following:
>>
>> Fatal Error: mysqli_connect(): Access denied for user
>> 'default'@'localhost' (using
>> password: YES).
>> Error in line 259 of file
>> '/var/www/vhosts/mydomain.com/httpdocs/transix/includes/dml.mysqli.class.in c'.
>> PHP_SELF: /index.php
>> CURRENT DIRECTORY: /var/www/vhosts/mydomain.com/httpdocs
>> SERVER_ADDR: nnn.nnn.nnn.nnn
>> SERVER_NAME: www.yahoo.com
>> HTTP_HOST: www.yahoo.com
>> REMOTE_ADDR: 109.108.142.236
>> REQUEST_URI: http://www.yahoo.com/
>>
>> In order to run this script on my live server the URL should have been
>> www.mydomain.com but here you can see it reported as www.yahoo.com. How
>> is this
>> possible?
>
> I can think of several ways:
>
> The client did not use HTTP/1.1 = client request without a hostname
>
> Something like apache mod_rewrite on the server is doing it
>
> any other misconfiguration on the server sites (hopefully temporary)
>
> /Str.
There are no mod_rewrite settings on the server or any other settings which
would cause an error as the site has been is use for some while without
incident, but I am occasionally seeing errors like this because my script
cannot recognise the value in SERVER_NAME. Somebody is trying to access my
site, but somehow they are able to force the value of SERVER_NAME to be
something other than the domain name.
--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]