[PHP] set variables based on HTTP_HOST
Is this potentially bad, security wise, to do something like this? Can
you guys recommend any way to tighten this up a bit or do this sort of
thing better/more eloquently?
?
$Host1 = array ('name1.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = /headers/name1_header.gif; // define graphic
$SiteCSS = /css/name1_css.css; // define css
}
$Host2 = array ('name2.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = /headers/name2_header.gif; // define graphic
$SiteCSS = /css/name2_css.css; // define css
}
$Host3 = array ('name3.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = /headers/name3_header.gif; // define graphic
$SiteCSS = /css/name3_css.css; // define css
}
$Host4 = array ('name4.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = /headers/name4_header.gif; // define graphic
$SiteCSS = /css/name4_css.css; // define css
}
else
{
$HeaderImg = /headers/main_header.gif; // define graphic
$SiteCSS = /css/main_css.css; // define css
}
?
link rel=stylesheet href=? echo $SiteCSS ? type=text/css /
img src=? echo $HeaderImg ?
The idea is to use this in the global header of a site that may be
invoked through up to 20-30 different third level subdomains, for the
same content. Standard stuff, one site, one set of tools to run it,
but each subdomain's slightly unique content pulls based on host.
thanks,
Joe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] set variables based on HTTP_HOST
Hello Joe,
Monday, August 8, 2005, 6:40:37 PM, you wrote:
JS Is this potentially bad, security wise, to do something like this?
JS Can you guys recommend any way to tighten this up a bit or do this
JS sort of thing better/more eloquently?
$_SERVER is, thankfully, _mostly_ populated by the web server, not the
client. HTTP_HOST certainly falls into this category. The only thing
you probably shouldn't do is rely on it always being there, so have
some catch-all set of headers / css if it's not set (mind you, if that
happens you've got a bigger problem on your hands! but it'd stop your
site breaking).
JS ?
JS $Host1 = array ('name1.host.com');
JS if (in_array ($_SERVER['HTTP_HOST'], $Host1))
JS {
JS $HeaderImg = /headers/name1_header.gif; // define graphic
JS $SiteCSS = /css/name1_css.css; // define css
JS }
Why are you creating lots of arrays and then using in_array to check
them? Just seems a little pointless in this instance as it gives you
no real benefit - comparing a one element array against a variable is
just... well.. comparing a variable with a variable! So why not do
that? Perhaps a switch block would serve your needs better?
switch ($_SERVER['HTTP_HOST'])
{
case 'name1.host.com':
$header = ..
break;
}
etc - then you can combine multiple hosts into one section and have a
default set at the bottom.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
I do not fear computers. I fear the lack of them. - Isaac Asimov
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] set variables based on HTTP_HOST
Hi!
On 8/8/05, Richard Davey [EMAIL PROTECTED] wrote:
Why are you creating lots of arrays and then using in_array to check
them? Just seems a little pointless in this instance as it gives you
no real benefit - comparing a one element array against a variable is
just... well.. comparing a variable with a variable! So why not do
that? Perhaps a switch block would serve your needs better?
I took your advice and put this up--any thoughts or advice would be
appreciated. Is the switch setup below the sort of thing you were
talking about? I altered it slightly overall to set a specific header
file, instead of a graphic, which is more useful.
?
// header generation script
// define path to includes header folder where
// include files live
$includepath = '/home/user/public_html/inc';
(( would be in a global include file, just here for clarity ))
// see what host is invoked
switch ($_SERVER['HTTP_HOST'])// check hostname
{
case 'domain.com':// define host
$Header = '/inc/main.header.inc'; // define header file
break;// next
case 'www.domain.com':
$Header = '/inc/main.header.inc';
break;
case 'host1.domain.com':
$Header = '/inc/host1.header.inc';
break;
case 'host2.domain.com':
$Header = '/inc/host2.header.inc';
break;
case 'host3.domain.com':
$Header = '/inc/host3.header.inc';
break;
case 'host4.domain.com':
$Header = '/inc/host4.header.inc';
break;
case 'host5.domain.com':
$Header = '/inc/host5.header.inc';
break;
// etc., etc.
default:
$Header = '/inc/illegalhost.header.inc'; // define header
}
// call the include header file for that host
if (file_exists($includepath/$Header)) {// include valid?
include stripslashes($includepath/$Header); // yup, include
} else {
echo FAILURE MESSAGE OF SOME SORT; // nope
exit;
}
?
(rest of page)
I figure I can get a regexp in there somehow so I don't need two
entries for the main domain.com and it's www c name, either... need to
add that.
I'm also sort of paranoid about unchecked includes in PHP and getting
compromised--is doing a check like I am here for the include file's
existence worthwhile or even useful to protect against possible
problems?
thanks,
Joe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] set variables based on HTTP_HOST
Hello Joe,
Tuesday, August 9, 2005, 12:57:17 AM, you wrote:
JS // call the include header file for that host
JS if (file_exists($includepath/$Header)) {// include valid?
JS include stripslashes($includepath/$Header); // yup, include
JS } else {
JS echo FAILURE MESSAGE OF SOME SORT; // nope
JS exit;
JS }
?
JS (rest of page)
JS I figure I can get a regexp in there somehow so I don't need two
JS entries for the main domain.com and it's www c name, either... need to
JS add that.
You can just do this:
switch ($_SERVER['HTTP_HOST'])// check hostname
{
case 'www.domain.com':
case 'domain.com':// define host
$Header = '/inc/main.header.inc'; // define header file
break;// next
}
Stack 'em up as much as you need.
JS I'm also sort of paranoid about unchecked includes in PHP and
JS getting compromised--is doing a check like I am here for the
JS include file's existence worthwhile or even useful to protect
JS against possible problems?
You're not doing an un-checked include - it's definitely checked.
You've pre-defined the $includepath at the start of your script, so
no-one can over-write this. You've forced $header to be one of the
switch options and *nothing* else. So those two things are certainly
clean.
If someone manages to inject bogus variables into your
$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
about than your code :) (i.e. someone has compromised your server) but
with your switch block and pre-set values even if they had managed
that, you'd still only ever include a valid header.
You have to draw the line somewhere with security - nothing will ever
be 100% safe because there are so many chains in the loop (firewall,
network, server, apache, php, etc). I would say that as it stands
you've done the best you can for this little section of code, but
perhaps some others might post more ideas if they have them.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
I do not fear computers. I fear the lack of them. - Isaac Asimov
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] set variables based on HTTP_HOST
Richard Davey wrote:
Hello Joe,
Tuesday, August 9, 2005, 12:57:17 AM, you wrote:
JS // call the include header file for that host
JS if (file_exists($includepath/$Header)) {// include valid?
JS include stripslashes($includepath/$Header); // yup, include
JS } else {
JS echo FAILURE MESSAGE OF SOME SORT; // nope
JS exit;
JS }
?
JS (rest of page)
JS I figure I can get a regexp in there somehow so I don't need two
JS entries for the main domain.com and it's www c name, either... need to
JS add that.
You can just do this:
switch ($_SERVER['HTTP_HOST'])// check hostname
{
case 'www.domain.com':
case 'domain.com':// define host
$Header = '/inc/main.header.inc'; // define header file
break;// next
}
Stack 'em up as much as you need.
JS I'm also sort of paranoid about unchecked includes in PHP and
JS getting compromised--is doing a check like I am here for the
JS include file's existence worthwhile or even useful to protect
JS against possible problems?
You're not doing an un-checked include - it's definitely checked.
You've pre-defined the $includepath at the start of your script, so
no-one can over-write this. You've forced $header to be one of the
switch options and *nothing* else. So those two things are certainly
clean.
If someone manages to inject bogus variables into your
$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
about than your code :) (i.e. someone has compromised your server) but
with your switch block and pre-set values even if they had managed
that, you'd still only ever include a valid header.
You have to draw the line somewhere with security - nothing will ever
be 100% safe because there are so many chains in the loop (firewall,
network, server, apache, php, etc). I would say that as it stands
you've done the best you can for this little section of code, but
perhaps some others might post more ideas if they have them.
Best regards,
Richard Davey
Security-wise, you can't count on $_SERVER['HTTP_HOST'] , it is passed
to PHP by Apache, but Apache is just passing through the user-supplied
Host header.
So don't depend on that for any security related information (like
restricting logins), but, if it's jsut page layout, and they are all
similarly accessible site, that shouldn't be a problem.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
