[PHP] set variables based on HTTP_HOST
Is this potentially bad, security wise, to do something like this? Can you guys recommend any way to tighten this up a bit or do this sort of thing better/more eloquently? ? $Host1 = array ('name1.host.com'); if (in_array ($_SERVER['HTTP_HOST'], $Host1)) { $HeaderImg = /headers/name1_header.gif; // define graphic $SiteCSS = /css/name1_css.css; // define css } $Host2 = array ('name2.host.com'); if (in_array ($_SERVER['HTTP_HOST'], $Host1)) { $HeaderImg = /headers/name2_header.gif; // define graphic $SiteCSS = /css/name2_css.css; // define css } $Host3 = array ('name3.host.com'); if (in_array ($_SERVER['HTTP_HOST'], $Host1)) { $HeaderImg = /headers/name3_header.gif; // define graphic $SiteCSS = /css/name3_css.css; // define css } $Host4 = array ('name4.host.com'); if (in_array ($_SERVER['HTTP_HOST'], $Host1)) { $HeaderImg = /headers/name4_header.gif; // define graphic $SiteCSS = /css/name4_css.css; // define css } else { $HeaderImg = /headers/main_header.gif; // define graphic $SiteCSS = /css/main_css.css; // define css } ? link rel=stylesheet href=? echo $SiteCSS ? type=text/css / img src=? echo $HeaderImg ? The idea is to use this in the global header of a site that may be invoked through up to 20-30 different third level subdomains, for the same content. Standard stuff, one site, one set of tools to run it, but each subdomain's slightly unique content pulls based on host. thanks, Joe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] set variables based on HTTP_HOST
Hello Joe, Monday, August 8, 2005, 6:40:37 PM, you wrote: JS Is this potentially bad, security wise, to do something like this? JS Can you guys recommend any way to tighten this up a bit or do this JS sort of thing better/more eloquently? $_SERVER is, thankfully, _mostly_ populated by the web server, not the client. HTTP_HOST certainly falls into this category. The only thing you probably shouldn't do is rely on it always being there, so have some catch-all set of headers / css if it's not set (mind you, if that happens you've got a bigger problem on your hands! but it'd stop your site breaking). JS ? JS $Host1 = array ('name1.host.com'); JS if (in_array ($_SERVER['HTTP_HOST'], $Host1)) JS { JS $HeaderImg = /headers/name1_header.gif; // define graphic JS $SiteCSS = /css/name1_css.css; // define css JS } Why are you creating lots of arrays and then using in_array to check them? Just seems a little pointless in this instance as it gives you no real benefit - comparing a one element array against a variable is just... well.. comparing a variable with a variable! So why not do that? Perhaps a switch block would serve your needs better? switch ($_SERVER['HTTP_HOST']) { case 'name1.host.com': $header = .. break; } etc - then you can combine multiple hosts into one section and have a default set at the bottom. Best regards, Richard Davey -- http://www.launchcode.co.uk - PHP Development Services Zend Certified Engineer I do not fear computers. I fear the lack of them. - Isaac Asimov -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] set variables based on HTTP_HOST
Hi! On 8/8/05, Richard Davey [EMAIL PROTECTED] wrote: Why are you creating lots of arrays and then using in_array to check them? Just seems a little pointless in this instance as it gives you no real benefit - comparing a one element array against a variable is just... well.. comparing a variable with a variable! So why not do that? Perhaps a switch block would serve your needs better? I took your advice and put this up--any thoughts or advice would be appreciated. Is the switch setup below the sort of thing you were talking about? I altered it slightly overall to set a specific header file, instead of a graphic, which is more useful. ? // header generation script // define path to includes header folder where // include files live $includepath = '/home/user/public_html/inc'; (( would be in a global include file, just here for clarity )) // see what host is invoked switch ($_SERVER['HTTP_HOST'])// check hostname { case 'domain.com':// define host $Header = '/inc/main.header.inc'; // define header file break;// next case 'www.domain.com': $Header = '/inc/main.header.inc'; break; case 'host1.domain.com': $Header = '/inc/host1.header.inc'; break; case 'host2.domain.com': $Header = '/inc/host2.header.inc'; break; case 'host3.domain.com': $Header = '/inc/host3.header.inc'; break; case 'host4.domain.com': $Header = '/inc/host4.header.inc'; break; case 'host5.domain.com': $Header = '/inc/host5.header.inc'; break; // etc., etc. default: $Header = '/inc/illegalhost.header.inc'; // define header } // call the include header file for that host if (file_exists($includepath/$Header)) {// include valid? include stripslashes($includepath/$Header); // yup, include } else { echo FAILURE MESSAGE OF SOME SORT; // nope exit; } ? (rest of page) I figure I can get a regexp in there somehow so I don't need two entries for the main domain.com and it's www c name, either... need to add that. I'm also sort of paranoid about unchecked includes in PHP and getting compromised--is doing a check like I am here for the include file's existence worthwhile or even useful to protect against possible problems? thanks, Joe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] set variables based on HTTP_HOST
Hello Joe, Tuesday, August 9, 2005, 12:57:17 AM, you wrote: JS // call the include header file for that host JS if (file_exists($includepath/$Header)) {// include valid? JS include stripslashes($includepath/$Header); // yup, include JS } else { JS echo FAILURE MESSAGE OF SOME SORT; // nope JS exit; JS } ? JS (rest of page) JS I figure I can get a regexp in there somehow so I don't need two JS entries for the main domain.com and it's www c name, either... need to JS add that. You can just do this: switch ($_SERVER['HTTP_HOST'])// check hostname { case 'www.domain.com': case 'domain.com':// define host $Header = '/inc/main.header.inc'; // define header file break;// next } Stack 'em up as much as you need. JS I'm also sort of paranoid about unchecked includes in PHP and JS getting compromised--is doing a check like I am here for the JS include file's existence worthwhile or even useful to protect JS against possible problems? You're not doing an un-checked include - it's definitely checked. You've pre-defined the $includepath at the start of your script, so no-one can over-write this. You've forced $header to be one of the switch options and *nothing* else. So those two things are certainly clean. If someone manages to inject bogus variables into your $_SERVER['HTTP_HOST'] element then you've got bigger things to worry about than your code :) (i.e. someone has compromised your server) but with your switch block and pre-set values even if they had managed that, you'd still only ever include a valid header. You have to draw the line somewhere with security - nothing will ever be 100% safe because there are so many chains in the loop (firewall, network, server, apache, php, etc). I would say that as it stands you've done the best you can for this little section of code, but perhaps some others might post more ideas if they have them. Best regards, Richard Davey -- http://www.launchcode.co.uk - PHP Development Services Zend Certified Engineer I do not fear computers. I fear the lack of them. - Isaac Asimov -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] set variables based on HTTP_HOST
Richard Davey wrote: Hello Joe, Tuesday, August 9, 2005, 12:57:17 AM, you wrote: JS // call the include header file for that host JS if (file_exists($includepath/$Header)) {// include valid? JS include stripslashes($includepath/$Header); // yup, include JS } else { JS echo FAILURE MESSAGE OF SOME SORT; // nope JS exit; JS } ? JS (rest of page) JS I figure I can get a regexp in there somehow so I don't need two JS entries for the main domain.com and it's www c name, either... need to JS add that. You can just do this: switch ($_SERVER['HTTP_HOST'])// check hostname { case 'www.domain.com': case 'domain.com':// define host $Header = '/inc/main.header.inc'; // define header file break;// next } Stack 'em up as much as you need. JS I'm also sort of paranoid about unchecked includes in PHP and JS getting compromised--is doing a check like I am here for the JS include file's existence worthwhile or even useful to protect JS against possible problems? You're not doing an un-checked include - it's definitely checked. You've pre-defined the $includepath at the start of your script, so no-one can over-write this. You've forced $header to be one of the switch options and *nothing* else. So those two things are certainly clean. If someone manages to inject bogus variables into your $_SERVER['HTTP_HOST'] element then you've got bigger things to worry about than your code :) (i.e. someone has compromised your server) but with your switch block and pre-set values even if they had managed that, you'd still only ever include a valid header. You have to draw the line somewhere with security - nothing will ever be 100% safe because there are so many chains in the loop (firewall, network, server, apache, php, etc). I would say that as it stands you've done the best you can for this little section of code, but perhaps some others might post more ideas if they have them. Best regards, Richard Davey Security-wise, you can't count on $_SERVER['HTTP_HOST'] , it is passed to PHP by Apache, but Apache is just passing through the user-supplied Host header. So don't depend on that for any security related information (like restricting logins), but, if it's jsut page layout, and they are all similarly accessible site, that shouldn't be a problem. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php