On Fri, Jan 20, 2012 at 10:07 AM, Haluk Karamete
halukkaram...@gmail.com wrote:
I marked those I already know as can,
$_SERVER['REMOTE_ADDR'] CAN
$_SERVER['HTTP_REFERER'] CAN
$_SERVER['HTTP_USER_AGENT'] CAN
$_SERVER['REQUEST_URI'] CAN ( cause it contains the query string
part and user/hacker can easily change that )
Those I'm not too sure are as follows;
$_SERVER['SERVER_NAME']
$_SERVER['DOCUMENT_ROOT']
$_SERVER['SCRIPT_NAME']
$_SERVER['PHP_SELF']
All of 'em. However, SERVER_NAME, DOCUMENT_ROOT, and SCRIPT_NAME come
from the server, so it would have to be whoever controls the server
doing the spoofing.
PHP_SELF could probably be faked in the code if done creatively.
Naturally, no one would try to do this intentionally, but I wonder if
something mischievous could be done with this if code was included
from an external source.
--
Ghodmode
http://www.ghodmode.com/blog
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
