$_SERVER

[birbal]

i read it somewhere that all $_SERVER variable is not trusted and dont trust to all $_SERVER vars. specially they were talkin about some var but they did not explained it why it is. so i am litttle bit confused with that concept. how can the $_SERVER vars be untrusted? should it need to validate too? and if there is any particualr list malicious $_SERVER vars...whats that?

[justsomeguy]

The $_SERVER array contains some information sent by the browser, so you can't necessarily rely on that to be accurate. Even though the browser might say it's IE doesn't mean it actually is.

[boen_robot]

You can use tools like Fiddler (see my signature) or Firebug to see how HTTP requests look like. Anything that you see as part of the request can't be trusted. This includes the values of ALL request headers (including some you may otherwise not think about, such as "Host"), the body, heck even the HTTP method and version (though these rarely make for security issues).

[birbal]

You can use tools like Fiddler (see my signature) or Firebug to see how HTTP requests look like. Anything that you see as part of the request can't be trusted. This includes the values of ALL request headers (including some you may otherwise not think about, such as "Host"), the body, heck even the HTTP method and version (though these rarely make for security issues).

alright now its becoming clearer. but i want to ask particularly about http_reffer...what about that? i read somewhere that it i cant be trusted. though they did not clarify the concept.

[justsomeguy]

The referer header is another header the browser sends, so the browser can send anything it wants. Some browsers are configured to never send referer headers, and there are some situations (like going from HTTPS to HTTP) where they are explicitly not supposed to be sent.