Home » Php » How to set custom $_SERVER variables from client in PHP

How to set custom $_SERVER variables from client in PHP

Posted by: admin July 12, 2020 Leave a comment

Questions:

According to this post: Which $_SERVER variables are safe? and another I’ve seen, a client seems to be able to set custom $_SERVER variables. For example: $_SERVER[‘HTTP_EXAMPLE’]

How would a client actually set a value to $_SERVER[‘HTTP_EXAMPLE’]?

How to&Answers:

If you have access to the Apache config file, you can do it using mod_env

SetEnv HTTP_EXAMPLE http_example

Then you can access that variable

echo $_SERVER["HTTP_EXAMPLE"]; //outputs http_example

Answer:

You can just set the variable in your script if you want

$_SERVER['DOCUMENT_ROOT'] = 'test';
echo $_SERVER['DOCUMENT_ROOT'];  // test

What that other article is really referring to spoofed variables such as the REMOTE_ADDR which is reported by the client.

For more info on that check out this post on faking the REMOTE_ADDR. How to fake $_SERVER['REMOTE_ADDR'] variable?