is $_SERVER['DOCUMENT_ROOT'] unsafe?

access9

I typically use this in my include statements:

require_once($_SERVER['DOCUMENT_ROOT'] . "/includes/class.MyClass.php");

Can this be modified by the remote user like $_SERVER['HTTP_REFERER'] can? Is this a safe use of it?

Thanks,
a9

superwormy

No, it can't be modified by the user.

When a users browser request a web page, it sends a header ( line of text ) to the webserver that looks like this:

Referer: Mozilla/4.0 ( MSIE 5.0 etc. etc. )

That's why the user can alter it. But DOCUMENT_ROOT is defined by the Apache webserver, not by a string the web browser is sending in. Go ahead and use it.

access9

Thanks superwormy!

phprock

If i decalre in a file config.php like this

//config.php
<?php
$root=$_SERVER["DOCUMENT_ROOT"];
$path=pathinfo($_SERVER["PHP_SELF"]);
$site_path="$root$path[dirname]";

?>

And then i use in a file.

<?Php
//index.php
include("config.php");
global $site_path;

?>

Installer

It should be safe, considering that it won't run. This:

$site_path="$root$path[dirname]";

should be:

$site_path = $root . $path['dirname'];

Also "global" is used in functions, not in the "normal" scope. When you include a file, variables in it (outside of functions) come into the scope of the including file, so it's not necessary here anyway. Also, you should use quotes around variable key names to prevent possible run-time confusion with like-named constants.

After you fix all that it should still be safe.