request URI variable

**cpellizzi** · Jun 10, 2007 23:29

I have a simple question. Is $_SERVER['REQUEST_URI'] sent by the client's browser, or by the server? I am pretty sure based on PHP docs that it is defined by the server.

My second question is, would $_SERVER['REQUEST_URI'] return the same thing for both of the following?

http://mysite.com/index.php?skjwlfjw
http://mysite.com/index.php

Essentially, I am asking whether or not the query string makes a difference.

The reason is because I need to know if this is an ok solution for an authorization check to a webpage. Would something like the following be secure?

PHP Code:


if($_SERVER['REQUEST_URI'] != $allowed_uri){

exit;

}



// page content

Thanks in advance.

**Servyces** · Jun 10, 2007 23:49

$_SERVER['REQUEST_URI'] will include the querystring. You should be looking for $_SERVER['SCRIPT_NAME'], that doesn't include a querystring.

To see the differences between various $_SERVER vars, create a new PHP page with this code, upload it and run it from your site at different locations to see what each variable does:

PHP Code:


<?php
print_r($_SERVER);
?>

**kyberfabrikken** · Jun 11, 2007 03:33

Request URI is part of the HTTP-request, and as such, sent by the client.

**cpellizzi** · Jun 11, 2007 07:37

So would $_SERVER['SCRIPT_NAME'] be secure to use like I have shown above?

**kyberfabrikken** · Jun 11, 2007 08:06

Yes. SCRIPT_NAME is provided by the server. REQUEST_URI is provided by the client. It would also be safe to rely on though, since the script would have never been called, if the value was different (Unless you have mod_rewrite or similar running).

**cpellizzi** · Jun 11, 2007 17:08

Ok. Thanks a lot.

User Tag List

Thread: request URI variable

Thread Tools

Display

request URI variable

Bookmarks

Bookmarks

Posting Permissions