$_SERVER

$HTTP_SERVER_VARS [removed]

(PHP 4 >= 4.1.0, PHP 5, PHP 7)

$_SERVER -- $HTTP_SERVER_VARS [removed] — Server and execution environment information

Description

$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here. That said, a large number of these variables are accounted for in the » CGI/1.1 specification, so you should be able to expect those.

Note: Prior to PHP 5.4.0, $HTTP_SERVER_VARS contained the same initial information, but was not a superglobal. (Note that $HTTP_SERVER_VARS and $_SERVER were different variables and that PHP handled them as such.)

Indices

You may or may not find any of the following elements in $_SERVER. Note that few, if any, of these will be available (or indeed have any meaning) if running PHP on the command line.

'PHP_SELF'

The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/foo/bar.php would be /foo/bar.php. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.

'argv'

Array of arguments passed to the script. When the script is run on the command line, this gives C-style access to the command line parameters. When called via the GET method, this will contain the query string.

'argc'

Contains the number of command line parameters passed to the script (if run on the command line).

'GATEWAY_INTERFACE'

What revision of the CGI specification the server is using; i.e. 'CGI/1.1'.

'SERVER_ADDR'

The IP address of the server under which the current script is executing.

'SERVER_NAME'

The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.

'SERVER_SOFTWARE'

Server identification string, given in the headers when responding to requests.

'SERVER_PROTOCOL'

Name and revision of the information protocol via which the page was requested; i.e. 'HTTP/1.0';

'REQUEST_METHOD'

Which request method was used to access the page; i.e. 'GET', 'HEAD', 'POST', 'PUT'.

Note:
PHP script is terminated after sending headers (it means after producing any output without output buffering) if the request method was HEAD.

'REQUEST_TIME'

The timestamp of the start of the request. Available since PHP 5.1.0.

'REQUEST_TIME_FLOAT'

The timestamp of the start of the request, with microsecond precision. Available since PHP 5.4.0.

'QUERY_STRING'

The query string, if any, via which the page was accessed.

'DOCUMENT_ROOT'

The document root directory under which the current script is executing, as defined in the server's configuration file.

'HTTP_ACCEPT'

Contents of the Accept: header from the current request, if there is one.

'HTTP_ACCEPT_CHARSET'

Contents of the Accept-Charset: header from the current request, if there is one. Example: 'iso-8859-1,*,utf-8'.

'HTTP_ACCEPT_ENCODING'

Contents of the Accept-Encoding: header from the current request, if there is one. Example: 'gzip'.

'HTTP_ACCEPT_LANGUAGE'

Contents of the Accept-Language: header from the current request, if there is one. Example: 'en'.

'HTTP_CONNECTION'

Contents of the Connection: header from the current request, if there is one. Example: 'Keep-Alive'.

'HTTP_HOST'

Contents of the Host: header from the current request, if there is one.

'HTTP_REFERER'

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

'HTTP_USER_AGENT'

Contents of the User-Agent: header from the current request, if there is one. This is a string denoting the user agent being which is accessing the page. A typical example is: Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586). Among other things, you can use this value with get_browser() to tailor your page's output to the capabilities of the user agent.

'HTTPS'

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

'REMOTE_ADDR'

The IP address from which the user is viewing the current page.

'REMOTE_HOST'

The Host name from which the user is viewing the current page. The reverse dns lookup is based off the REMOTE_ADDR of the user.

Note: Your web server must be configured to create this variable. For example in Apache you'll need HostnameLookups On inside httpd.conf for it to exist. See also gethostbyaddr().

'REMOTE_PORT'

The port being used on the user's machine to communicate with the web server.

'REMOTE_USER'

The authenticated user.

'REDIRECT_REMOTE_USER'

The authenticated user if the request is internally redirected.

'SCRIPT_FILENAME'

The absolute pathname of the currently executing script.

Note:
If a script is executed with the CLI, as a relative path, such as file.php or ../file.php, $_SERVER['SCRIPT_FILENAME'] will contain the relative path specified by the user.

'SERVER_ADMIN'

The value given to the SERVER_ADMIN (for Apache) directive in the web server configuration file. If the script is running on a virtual host, this will be the value defined for that virtual host.

'SERVER_PORT'

The port on the server machine being used by the web server for communication. For default setups, this will be '80'; using SSL, for instance, will change this to whatever your defined secure HTTP port is.

Note: Under the Apache 2, you must set UseCanonicalName = On, as well as UseCanonicalPhysicalPort = On in order to get the physical (real) port, otherwise, this value can be spoofed and it may or may not return the physical port value. It is not safe to rely on this value in security-dependent contexts.

'SERVER_SIGNATURE'

String containing the server version and virtual host name which are added to server-generated pages, if enabled.

'PATH_TRANSLATED'

Filesystem- (not document root-) based path to the current script, after the server has done any virtual-to-real mapping.

Note: As of PHP 4.3.2, PATH_TRANSLATED is no longer set implicitly under the Apache 2 SAPI in contrast to the situation in Apache 1, where it's set to the same value as the SCRIPT_FILENAME server variable when it's not populated by Apache. This change was made to comply with the CGI specification that PATH_TRANSLATED should only exist if PATH_INFO is defined. Apache 2 users may use AcceptPathInfo = On inside httpd.conf to define PATH_INFO.

'SCRIPT_NAME'

Contains the current script's path. This is useful for pages which need to point to themselves. The __FILE__ constant contains the full path and filename of the current (i.e. included) file.

'REQUEST_URI'

The URI which was given in order to access this page; for instance, '/index.html'.

'PHP_AUTH_DIGEST'

When doing Digest HTTP authentication this variable is set to the 'Authorization' header sent by the client (which you should then use to make the appropriate validation).

'PHP_AUTH_USER'

When doing HTTP authentication this variable is set to the username provided by the user.

'PHP_AUTH_PW'

When doing HTTP authentication this variable is set to the password provided by the user.

'AUTH_TYPE'

When doing HTTP authentication this variable is set to the authentication type.

'PATH_INFO'

Contains any client-provided pathname information trailing the actual script filename but preceding the query string, if available. For instance, if the current script was accessed via the URL http://www.example.com/php/path_info.php/some/stuff?foo=bar, then $_SERVER['PATH_INFO'] would contain /some/stuff.

'ORIG_PATH_INFO'

Original version of 'PATH_INFO' before processed by PHP.

Changelog

Version	Description
5.4.0	`$HTTP_SERVER_VARS` isn't available anymore due to the removal of long arrays registering.
5.3.0	Directive register_long_arrays which caused `$HTTP_SERVER_VARS` to be available has been deprecated.
4.1.0	Introduced `$_SERVER` that deprecated `$HTTP_SERVER_VARS`.

Examples

Example #1 $_SERVER example


<?php
echo $_SERVER['SERVER_NAME'];
?>

The above example will output something similar to:

www.example.com

Notes

Note:
This is a 'superglobal', or automatic global, variable. This simply means that it is available in all scopes throughout a script. There is no need to do global $variable; to access it within functions or methods.

User Contributed Notes

zeufonlinux at gmail dot com

3 years ago


Just a PHP file to put on your local server (as I don't have enough memory)



 <?php

 $indicesServer = array('PHP_SELF',

'argv',

'argc',

'GATEWAY_INTERFACE',

'SERVER_ADDR',

'SERVER_NAME',

'SERVER_SOFTWARE',

'SERVER_PROTOCOL',

'REQUEST_METHOD',

'REQUEST_TIME',

'REQUEST_TIME_FLOAT',

'QUERY_STRING',

'DOCUMENT_ROOT',

'HTTP_ACCEPT',

'HTTP_ACCEPT_CHARSET',

'HTTP_ACCEPT_ENCODING',

'HTTP_ACCEPT_LANGUAGE',

'HTTP_CONNECTION',

'HTTP_HOST',

'HTTP_REFERER',

'HTTP_USER_AGENT',

'HTTPS',

'REMOTE_ADDR',

'REMOTE_HOST',

'REMOTE_PORT',

'REMOTE_USER',

'REDIRECT_REMOTE_USER',

'SCRIPT_FILENAME',

'SERVER_ADMIN',

'SERVER_PORT',

'SERVER_SIGNATURE',

'PATH_TRANSLATED',

'SCRIPT_NAME',

'REQUEST_URI',

'PHP_AUTH_DIGEST',

'PHP_AUTH_USER',

'PHP_AUTH_PW',

'AUTH_TYPE',

'PATH_INFO',

'ORIG_PATH_INFO') ;



echo '<table cellpadding="10">' ;

foreach ($indicesServer as $arg) {

    if (isset($_SERVER[$arg])) {

        echo '<tr><td>'.$arg.'</td><td>' . $_SERVER[$arg] . '</td></tr>' ;

    }

    else {

        echo '<tr><td>'.$arg.'</td><td>-</td></tr>' ;

    }

}

echo '</table>' ;



/*



That will give you the result of each variable like (if the file is server_indices.php at the root and Apache Web directory is in E:\web) : 



PHP_SELF    /server_indices.php

argv    -

argc    -

GATEWAY_INTERFACE    CGI/1.1

SERVER_ADDR    127.0.0.1

SERVER_NAME    localhost

SERVER_SOFTWARE    Apache/2.2.22 (Win64) PHP/5.3.13

SERVER_PROTOCOL    HTTP/1.1

REQUEST_METHOD    GET

REQUEST_TIME    1361542579

REQUEST_TIME_FLOAT    -

QUERY_STRING    

DOCUMENT_ROOT    E:/web/

HTTP_ACCEPT    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

HTTP_ACCEPT_CHARSET    ISO-8859-1,utf-8;q=0.7,*;q=0.3

HTTP_ACCEPT_ENCODING    gzip,deflate,sdch

HTTP_ACCEPT_LANGUAGE    fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4

HTTP_CONNECTION    keep-alive

HTTP_HOST    localhost

HTTP_REFERER    http://localhost/

HTTP_USER_AGENT    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

HTTPS    -

REMOTE_ADDR    127.0.0.1

REMOTE_HOST    -

REMOTE_PORT    65037

REMOTE_USER    -

REDIRECT_REMOTE_USER    -

SCRIPT_FILENAME    E:/web/server_indices.php

SERVER_ADMIN    myemail@personal.us

SERVER_PORT    80

SERVER_SIGNATURE    

PATH_TRANSLATED    -

SCRIPT_NAME    /server_indices.php

REQUEST_URI    /server_indices.php

PHP_AUTH_DIGEST    -

PHP_AUTH_USER    -

PHP_AUTH_PW    -

AUTH_TYPE    -

PATH_INFO    -

ORIG_PATH_INFO    -



*/

?>

Vladimir Kornea

7 years ago


1. All elements of the $_SERVER array whose keys begin with 'HTTP_' come from HTTP request headers and are not to be trusted.

2. All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'.

3. $_SERVER['PHP_SELF'] is dangerous if misused. If login.php/nearly_arbitrary_string is requested, $_SERVER['PHP_SELF'] will contain not just login.php, but the entire login.php/nearly_arbitrary_string. If you've printed $_SERVER['PHP_SELF'] as the value of the action attribute of your form tag without performing HTML encoding, an attacker can perform XSS attacks by offering users a link to your site such as this:

<a href='http://www.example.com/login.php/"><script type="text/javascript">...</script><span a="'>Example.com</a>

The javascript block would define an event handler function and bind it to the form's submit event. This event handler would load via an <img> tag an external file, with the submitted username and password as parameters.

Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. HTML encode every string sent to the browser that should not be interpreted as HTML, unless you are absolutely certain that it cannot contain anything that the browser can interpret as HTML.

Lord Mac

6 years ago


An even *more* improved version...

<?php
phpinfo(32);
?>

rulerof at gmail dot com

5 years ago


I needed to get the full base directory of my script local to my webserver, IIS 7 on Windows 2008.



I ended up using this:



<?php

function GetBasePath() {

    return substr($_SERVER['SCRIPT_FILENAME'], 0, strlen($_SERVER['SCRIPT_FILENAME']) - strlen(strrchr($_SERVER['SCRIPT_FILENAME'], "\\")));

}

?>



And it returned C:\inetpub\wwwroot\<applicationfolder> as I had hoped.

steve at sc-fa dot com

6 years ago


If you are serving from behind a proxy server, you will almost certainly save time by looking at what these $_SERVER variables do on your machine behind the proxy.   

$_SERVER['HTTP_X_FORWARDED_FOR'] in place of $_SERVER['REMOTE_ADDR']

$_SERVER['HTTP_X_FORWARDED_HOST'] and 
$_SERVER['HTTP_X_FORWARDED_SERVER'] in place of (at least in our case,) $_SERVER['SERVER_NAME']

jarrod at squarecrow dot com

6 years ago


$_SERVER['DOCUMENT_ROOT'] is incredibly useful especially when working in your development environment. If you're working on large projects you'll likely be including a large number of files into your pages. For example:



<?php

//Defines constants to use for "include" URLS - helps keep our paths clean



        define("REGISTRY_CLASSES",  $_SERVER['DOCUMENT_ROOT']."/SOAP/classes/");

        define("REGISTRY_CONTROLS", $_SERVER['DOCUMENT_ROOT']."/SOAP/controls/");



        define("STRING_BUILDER",     REGISTRY_CLASSES. "stringbuilder.php");

        define("SESSION_MANAGER",     REGISTRY_CLASSES. "sessionmanager.php");

        define("STANDARD_CONTROLS",    REGISTRY_CONTROLS."standardcontrols.php");

?>



In development environments, you're rarely working with your root folder, especially if you're running PHP locally on your box and using DOCUMENT_ROOT is a great way to maintain URL conformity. This will save you hours of work preparing your application for deployment from your box to a production server (not to mention save you the headache of include path failures).

jonbarnett at gmail dot com

7 years ago


It's worth noting that $_SERVER variables get created for any HTTP request headers, including those you might invent:

If the browser sends an HTTP request header of:
X-Debug-Custom: some string

Then:

<?php
$_SERVER['HTTP_X_DEBUG_CUSTOM']; // "some string"
?>

There are better ways to identify the HTTP request headers sent by the browser, but this is convenient if you know what to expect from, for example, an AJAX script with custom headers.

Works in PHP5 on Apache with mod_php.  Don't know if this is true from other environments.

plugwash at p10link dot net

1 year ago


Be aware that it's a bad idea to access x-forwarded-for and similar headers through this array. The header names are mangled when populating the array and this mangling can introduce spoofing vulnerabilities.

See http://en.wikipedia.org/wiki/User:Brion_VIBBER/Cool_Cat_incident_report for details of a real world exploit of this.

Tonin

7 years ago


When using the $_SERVER['SERVER_NAME'] variable in an apache virtual host setup with a ServerAlias directive, be sure to check the UseCanonicalName apache directive.  If it is On, this variable will always have the apache ServerName value.  If it is Off, it will have the value given by the headers sent by the browser.

Depending on what you want to do the content of this variable, put in On or Off.

krinklemail at gmail dot com

3 years ago


If requests to your PHP script send a header "Content-Type" or/ "Content-Length" it will, contrary to regular HTTP headers, not appear in $_SERVER as $_SERVER['HTTP_CONTENT_TYPE']. PHP removes these (per CGI/1.1 specification[1]) from the HTTP_ match group.

They are still accessible, but only if the request was a POST request. When it is, it'll be available as:
$_SERVER['CONTENT_LENGTH']
$_SERVER['CONTENT_TYPE']

[1] https://www.ietf.org/rfc/rfc3875

chris

6 years ago


A table of everything in the $_SERVER array can be found near the bottom of the output of phpinfo();

Richard York

6 years ago


Not documented here is the fact that $_SERVER is populated with some pretty useful information when accessing PHP via the shell.

 ["_SERVER"]=>
  array(24) {
    ["MANPATH"]=>
    string(48) "/usr/share/man:/usr/local/share/man:/usr/X11/man"
    ["TERM"]=>
    string(11) "xterm-color"
    ["SHELL"]=>
    string(9) "/bin/bash"
    ["SSH_CLIENT"]=>
    string(20) "127.0.0.1 41242 22"
    ["OLDPWD"]=>
    string(60) "/Library/WebServer/Domains/www.example.com/private"
    ["SSH_TTY"]=>
    string(12) "/dev/ttys000"
    ["USER"]=>
    string(5) "username"
    ["MAIL"]=>
    string(15) "/var/mail/username"
    ["PATH"]=>
    string(57) "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin"
    ["PWD"]=>
    string(56) "/Library/WebServer/Domains/www.example.com/www"
    ["SHLVL"]=>
    string(1) "1"
    ["HOME"]=>
    string(12) "/Users/username"
    ["LOGNAME"]=>
    string(5) "username"
    ["SSH_CONNECTION"]=>
    string(31) "127.0.0.1 41242 10.0.0.1 22"
    ["_"]=>
    string(12) "/usr/bin/php"
    ["__CF_USER_TEXT_ENCODING"]=>
    string(9) "0x1F5:0:0"
    ["PHP_SELF"]=>
    string(10) "Shell.php"
    ["SCRIPT_NAME"]=>
    string(10) "Shell.php"
    ["SCRIPT_FILENAME"]=>
    string(10) "Shell.php"
    ["PATH_TRANSLATED"]=>
    string(10) "Shell.php"
    ["DOCUMENT_ROOT"]=>
    string(0) ""
    ["REQUEST_TIME"]=>
    int(1247162183)
    ["argv"]=>
    array(1) {
      [0]=>
      string(10) "Shell.php"
    }
    ["argc"]=>
    int(1)
  }

mirko dot steiner at slashdevslashnull dot de

6 years ago


<?php

// RFC 2616 compatible Accept Language Parser
// http://www.ietf.org/rfc/rfc2616.txt, 14.4 Accept-Language, Page 104
// Hypertext Transfer Protocol -- HTTP/1.1

foreach (explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) {
    $pattern = '/^(?P<primarytag>[a-zA-Z]{2,8})'.
    '(?:-(?P<subtag>[a-zA-Z]{2,8}))?(?:(?:;q=)'.
    '(?P<quantifier>\d\.\d))?$/';

    $splits = array();

    printf("Lang:,,%s''\n", $lang);
    if (preg_match($pattern, $lang, $splits)) {
        print_r($splits);
    } else {
        echo "\nno match\n";
    }
}

?>

example output:

Google Chrome 3.0.195.27 Windows xp

Lang:,,de-DE''
Array
(
    [0] => de-DE
    [primarytag] => de
    [1] => de
    [subtag] => DE
    [2] => DE
)
Lang:,,de;q=0.8''
Array
(
    [0] => de;q=0.8
    [primarytag] => de
    [1] => de
    [subtag] => 
    [2] => 
    [quantifier] => 0.8
    [3] => 0.8
)
Lang:,,en-US;q=0.6''
Array
(
    [0] => en-US;q=0.6
    [primarytag] => en
    [1] => en
    [subtag] => US
    [2] => US
    [quantifier] => 0.6
    [3] => 0.6
)
Lang:,,en;q=0.4''
Array
(
    [0] => en;q=0.4
    [primarytag] => en
    [1] => en
    [subtag] => 
    [2] => 
    [quantifier] => 0.4
    [3] => 0.4
)

MarkAgius at markagius dot co dot uk

4 years ago


You have missed 'REDIRECT_STATUS'

Very useful if you point all your error pages to the same file.

File; .htaccess
# .htaccess file.

ErrorDocument 404 /error-msg.php
ErrorDocument 500 /error-msg.php
ErrorDocument 400 /error-msg.php
ErrorDocument 401 /error-msg.php
ErrorDocument 403 /error-msg.php
# End of file.

File; error-msg.php
<?php
  $HttpStatus = $_SERVER["REDIRECT_STATUS"] ;
  if($HttpStatus==200) {print "Document has been processed and sent to you.";}
  if($HttpStatus==400) {print "Bad HTTP request ";}
  if($HttpStatus==401) {print "Unauthorized - Iinvalid password";}
  if($HttpStatus==403) {print "Forbidden";}
  if($HttpStatus==500) {print "Internal Server Error";}
  if($HttpStatus==418) {print "I'm a teapot! - This is a real value, defined in 1998";}

?>

pudding06 at gmail dot com

6 years ago


Here's a simple, quick but effective way to block unwanted external visitors to your local server:



<?php

// only local requests

if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') die(header("Location: /"));

?>



This will direct all external traffic to your home page. Of course you could send a 404 or other custom error. Best practice is not to stay on the page with a custom error message as you acknowledge that the page does exist. That's why I redirect unwanted calls to (for example) phpmyadmin.

php at isnoop dot net

6 years ago


Use the apache SetEnv directive to set arbitrary $_SERVER variables in your vhost or apache config.

SetEnv varname "variable value"

Stefano (info at sarchittu dot org)

5 years ago


A way to get the absolute path of your page, independent from the site position (so works both on local machine and on server without setting anything) and from the server OS (works both on Unix systems and Windows systems).

The only parameter it requires is the folder in which you place this script
So, for istance, I'll place this into my SCRIPT folder, and I'll write SCRIPT word length in $conflen

<?php
$conflen=strlen('SCRIPT');
$B=substr(__FILE__,0,strrpos(__FILE__,'/'));
$A=substr($_SERVER['DOCUMENT_ROOT'], strrpos($_SERVER['DOCUMENT_ROOT'], $_SERVER['PHP_SELF']));
$C=substr($B,strlen($A));
$posconf=strlen($C)-$conflen-1;
$D=substr($C,1,$posconf);
$host='http://'.$_SERVER['SERVER_NAME'].'/'.$D;
?>

$host will finally contain the absolute path.

Tom

3 years ago


Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input.

cupy at email dot cz

6 years ago


Tech note:
$_SERVER['argc'] and $_SERVER['argv'][] has some funny behaviour,
used from linux (bash) commandline, when called like 
"php ./script_name.php 0x020B" 
there is everything correct, but 
"./script_name.php 0x020B"
is not correct - "0" is passed instead of "0x020B" as $_SERVER['argv'][1] - see the script below.
Looks like the parameter is not passed well from bash to PHP.
(but, inspected on the level of bash, 0x020B is understood well as $1)

try this example:

------------->8------------------
cat ./script_name.php
#! /usr/bin/php

if( $_SERVER['argc'] == 2)
  {
    // funny... we have to do this trick to pass e.g. 0x020B from parameters
    // ignore this: "PHP Notice:  Undefined offset:  2 in ..."
    $EID = $_SERVER['argv'][1] + $_SERVER['argv'][2] + $_SERVER['argv'][3];
  }
 else
   {        // default
     $EID = 0x0210; // PPS failure
   }

answer at question dot forever

1 year ago


I'm lazy but rigorous:
<?php
while (list($var,$value) = each ($_SERVER)) {
echo $var." Val:".$value."<br />";
}
<a href="https://blog.sinatranetwork.com/2011/07/20/php-how-to-print-all-_server-variables/">Thank you sir!</a>
?>

jette at nerdgirl dot dk

7 years ago


Windows running IIS v6 does not include $_SERVER['SERVER_ADDR']

If you need to get the IP addresse, use this instead:

<?php
$ipAddress = gethostbyname($_SERVER['SERVER_NAME']);
?>

picov at e-link dot it

4 years ago


A simple function to detect if the current page address was rewritten by mod_rewrite:



<?php

public function urlWasRewritten() {

  $realScriptName=$_SERVER['SCRIPT_NAME'];

  $virtualScriptName=reset(explode("?", $_SERVER['REQUEST_URI']));

  return !($realScriptName==$virtualScriptName);

}

?>

wbeaumo1 at gmail dot com

5 years ago


Don't forget $_SERVER['HTTP_COOKIE']. It contains the raw value of the 'Cookie' header sent by the user agent.

geoffrey dot hoffman at gmail dot com

7 years ago


If you are looking at $_SERVER['HTTP_USER_AGENT'] to determine whether your user is on a mobile device, you may want to visit these resources:

http://wurfl.sourceforge.net/

http://www.zytrax.com/tech/web/mobile_ids.html

pomat at live dot it

2 years ago


$_SERVER['DOCUMENT_ROOT'] may contain backslashes on windows systems, and of course it may or may not have a trailing slash (backslash).
I saw the following as an example of the proper way we're supposed to deal with this issue:

<?php
include(dirname($_SERVER['DOCUMENT_ROOT']) . DIRECTORY_SEPARATOR . 'file.php');
?>

Ok, the latter may be used to access a file inside the parent directory of the document root, but actually does not properly address the issue.
In the end, don't warry about. It should be safe to use forward slashes and append a trailing slash in all cases.
Let's say we have this:

<?php
$path = 'subdir/file.php';
$result = $_SERVER['DOCUMENT_ROOT'] . '/' . $path;
?>

On linux $result might be something like
1) "/var/www/subdir/file.php"
2) "/var/www//subdir/file.php"
String 2 is parsed the same as string 1 (have a try with command 'cd').

On windows $result might be something like
1) "C:/apache/htdocs/subdir/file.php"
2) "C:/apache/htdocs//subdir/file.php"
3) "C:\apache\htdocs/subdir/file.php"
4) "C:\apache\htdocs\/subdir/file.php"
All those strings are parsed as "C:\apache\htdocs\subdir\file.php" (have a try with 'cd').

info at mtprod dot com

7 years ago


On Windows IIS 7 you must use $_SERVER['LOCAL_ADDR'] rather than $_SERVER['SERVER_ADDR'] to get the server's IP address.

jit_chavan at yahoo dot com

2 years ago


searched $_SERVER["REDIRECT_URL"] for a while and noted that it is not mentioned in php documentation page itself. look like this is only generated by apache server(not others) and using   $_SERVER["REQUEST_URI"] will be useful in some cases as mine.

silverquick at gmail dot com

7 years ago


I think the HTTPS element will only be present under Apache 2.x. It's not in the list of "special" variables here:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteCond
But it is here:
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond

dtomasiewicz at gmail dot com

5 years ago


To get an associative array of HTTP request headers formatted similarly to get_headers(), this will do the trick:

<?php
/**
 * Transforms $_SERVER HTTP headers into a nice associative array. For example:
 *   array(
 *       'Referer' => 'example.com',
 *       'X-Requested-With' => 'XMLHttpRequest'
 *   )
 */
function get_request_headers() {
    $headers = array();
    foreach($_SERVER as $key => $value) {
        if(strpos($key, 'HTTP_') === 0) {
            $headers[str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))))] = $value;
        }
    }
    return $headers;
}
?>

wyattstorch42 at outlook dot com

2 years ago


<?php
/*
 * I wrote this because I was including a file with classes in it. Let's say that
 * I have a contact page at mysite.com/contact/index.php and a Form class at
 * mysite.com/classes/Form.php. So in index.php, I have this statement:
 * require '../classes/Form.php';
 * The Form class includes a method to generate the HTML markup for a number of
 * form elements, including a CAPTCHA image and associated text field. To do so,
 * it must generate an <img /> element and give it a src of Form.php?captcha.
 * But I wanted it to automatically generate a src attribute without index.php
 * giving it a relative path. This script comes in handy by automatically
 * locating the directory that contains the included file (Form.php) and converting
 * it from an absolute path to a relative path that could be used for an img src,
 * an a href, a link href, etc.
 */ 
function relativeURL () {
    $dir = str_replace('\\', '/', __DIR__);
        // Resolves inconsistency with PATH_SEPARATOR on Windows vs. Linux
        // Use dirname(__FILE__) in place of __DIR__ for older PHP versions
    return substr($dir, strlen($_SERVER['DOCUMENT_ROOT']));
        // Clip off the part of the path outside of the document root
}

/*
 *contact/index.php
 */
require '../classes/Form.php';
new Form()->drawCaptchaField();
    // Writes: <img src="/classes/Form.php?captcha" />

    
/*
 * classes/Form.php
 */
if (isset($_GET['captcha'])) {
    // generate/return CAPTCHA image
}

class Form {
    // ...
    public function drawCaptchaField () {
        echo '<img src="'.relativeURL().'?captcha" />';
    }
}
?>

admin at NOSpAM dot sinfocol dot org

6 years ago


I was testing with the $_SERVER variable and some request method, and I found that with apache I can put an arbitrary method.

For example, I have an script called "server.php" in my example webpage with the next code:

<?php
echo $_SERVER['REQUEST_METHOD'];
?>

And I made this request:
c:\>nc -vv www.example.com 80
example.com [x.x.x.x] 80 (http) open
ArbitratyMethod /server.php HTTP/1.1
Host: wow.sinfocol.org
Connection: Close

The response of the server is the next:
HTTP/1.1 200 OK
Date: Fri, 15 Jan 2010 05:14:09 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

ArbitratyMethod

So, be carefully when include the $_SERVER['REQUEST_METHOD'] in any script, this kind of "bug" is old and could be dangerous.

office at peername dot com

5 months ago


Keep in mind that if the user is using proxy server (like PAC), REQUEST_URI will include the full request URL like http://example.com/path/

joerg dot reinholz at fastix dot org

11 months ago


On a few of servers (e.g, Strato AG Germany, shared hosting)  $_SERVER["DOCUMENT_ROOT"] follow symlinks (while so configured by admins)

This is a problem while __DIR__ give the realpath.  Try the error with this small script inside of  DOCUMENT_ROOT:

<?php
header('Content-type: text/plain');
echo '__DIR__                            : ', __DIR__ , "\n";
echo '$_SERVER["DOCUMENT_ROOT"]          : ', $_SERVER["DOCUMENT_ROOT"] , "\n";
echo 'realpath($_SERVER["DOCUMENT_ROOT"]): ', realpath($_SERVER["DOCUMENT_ROOT"]), "\n";

## file 'include_me.php'

# Exit, wenn in document_root, weil dann Sicherheitsproblem auftreten kann:
if (-1 < strpos(__DIR__, $_SERVER["DOCUMENT_ROOT"]) ) {
    trigger_error('Fatal: '. __FILE__
         . ' darf nicht in oder unterhalb von DOCUMENT_ROOT ('
         . $_SERVER["DOCUMENT_ROOT"] . ') liegen!', E_USER_ERROR);
    exit;
}
?>
This will never trigger the error!

Use better:
<?php
header('Content-type: text/plain');
echo '__DIR__                            : ', __DIR__ , "\n";
echo '$_SERVER["DOCUMENT_ROOT"]          : ', $_SERVER["DOCUMENT_ROOT"] , "\n";
echo 'realpath($_SERVER["DOCUMENT_ROOT"]): ', realpath($_SERVER["DOCUMENT_ROOT"]), "\n";

## file 'include_me.php'

# Exit, wenn in document_root, weil dann Sicherheitsproblem auftreten kann:
if (-1 < strpos(__DIR__, $_SERVER["DOCUMENT_ROOT"]) ) {
    trigger_error('Fatal: '. __FILE__
         . ' darf nicht in oder unterhalb von DOCUMENT_ROOT ('
         . $_SERVER["DOCUMENT_ROOT"] . ') liegen!', E_USER_ERROR);
    exit;
}
?>

dii3g0

4 years ago


Proccess path_info

<?php
function get_path_info()
{
    if( ! array_key_exists('PATH_INFO', $_SERVER) )
    {
        $pos = strpos($_SERVER['REQUEST_URI'], $_SERVER['QUERY_STRING']);
    
        $asd = substr($_SERVER['REQUEST_URI'], 0, $pos - 2);
        $asd = substr($asd, strlen($_SERVER['SCRIPT_NAME']) + 1);
        
        return $asd;    
    }
    else
    {
        return trim($_SERVER['PATH_INFO'], '/');
    }
}

Josh Fremer

5 years ago


HTTPS

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

=-=-=

To clarify this, the value is the string "off", so a specific non-empty value rather than an empty value as in Apache.

jeff at example dot com

7 years ago


Note that, in Apache 2, the server settings will affect the variables available in $_SERVER. For example, if you are using SSL, the following directive will dump SSL-related status information, along with the server certificate and client certificate (if present) into the $_SERVER variables:

SSLOptions +StdEnvVars +ExportCertData

doublecompile at gmail dot com

10 months ago


I've used the SplPriorityQueue to determine an HTTP client's preferred MIME types that are in $_SERVER['HTTP_ACCEPT'].

<?php
$queue = new \SplPriorityQueue();
foreach (preg_split('#,\s*#', $_SERVER['HTTP_ACCEPT']) as $accept) {
    $split = preg_split('#;\s*q=#', $accept, 2);
    $queue->insert($split[0], isset($split[1]) ? (float)$split[1] : 1.0);
}
foreach ($queue as $mime) {
    echo $mime, PHP_EOL;
}
?>

My browser sends:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

And this script outputs:
text/html
application/xhtml+xml
application/xml
*/*

A better example:
Accept: text/html, application/xml,text/css;q=0.4,text/plain; q=0.9, application/json;q=0.8

And this script outputs:
text/html
application/xml
text/plain
application/json
text/css

@44it

2 years ago


All the $_SERVER[''] In php : 



<?php



echo "PHP_SELF : " . $_SERVER['PHP_SELF'] . "<br />";

echo "GATEWAY_INTERFACE : " . $_SERVER['GATEWAY_INTERFACE'] . "<br />";

echo "SERVER_ADDR : " . $_SERVER['SERVER_ADDR'] . "<br />";

echo "SERVER_NAME : " . $_SERVER['SERVER_NAME'] . "<br />";

echo "SERVER_SOFTWARE : " . $_SERVER['SERVER_SOFTWARE'] . "<br />";

echo "SERVER_PROTOCOL : " . $_SERVER['SERVER_PROTOCOL'] . "<br />";

echo "REQUEST_METHOD : " . $_SERVER['REQUEST_METHOD'] . "<br />";

echo "REQUEST_TIME : " . $_SERVER['REQUEST_TIME'] . "<br />";

echo "REQUEST_TIME_FLOAT : " . $_SERVER['REQUEST_TIME_FLOAT'] . "<br />";

echo "QUERY_STRING : " . $_SERVER['QUERY_STRING'] . "<br />";

echo "DOCUMENT_ROOT : " . $_SERVER['DOCUMENT_ROOT'] . "<br />";

echo "HTTP_ACCEPT : " . $_SERVER['HTTP_ACCEPT'] . "<br />";

echo "HTTP_ACCEPT_CHARSET : " . $_SERVER['HTTP_ACCEPT_CHARSET'] . "<br />";

echo "HTTP_ACCEPT_ENCODING : " . $_SERVER['HTTP_ACCEPT_ENCODING'] . "<br />";

echo "HTTP_ACCEPT_LANGUAGE : " . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . "<br />";

echo "HTTP_CONNECTION : " . $_SERVER['HTTP_CONNECTION'] . "<br />";

echo "HTTP_HOST : " . $_SERVER['HTTP_HOST'] . "<br />";

echo "HTTP_REFERER : " . $_SERVER['HTTP_REFERER'] . "<br />";

echo "HTTP_USER_AGENT : " . $_SERVER['HTTP_USER_AGENT'] . "<br />";

echo "HTTPS : " . $_SERVER['HTTPS'] . "<br />";

echo "REMOTE_ADDR : " . $_SERVER['REMOTE_ADDR'] . "<br />";

echo "REMOTE_HOST : " . $_SERVER['REMOTE_HOST'] . "<br />";

echo "REMOTE_PORT : " . $_SERVER['REMOTE_PORT'] . "<br />";

echo "REMOTE_USER : " . $_SERVER['REMOTE_USER'] . "<br />";

echo "REDIRECT_REMOTE_USER : " . $_SERVER['REDIRECT_REMOTE_USER'] . "<br />";

echo "SCRIPT_FILENAME : " . $_SERVER['SCRIPT_FILENAME'] . "<br />";

echo "SERVER_ADMIN : " . $_SERVER['SERVER_ADMIN'] . "<br />";

echo "SERVER_PORT : " . $_SERVER['SERVER_PORT'] . "<br />";

echo "SERVER_SIGNATURE : " . $_SERVER['SERVER_SIGNATURE'] . "<br />";

echo "PATH_TRANSLATED : " . $_SERVER['PATH_TRANSLATED'] . "<br />";

echo "SCRIPT_NAME : " . $_SERVER['SCRIPT_NAME'] . "<br />";

echo "REQUEST_URI : " . $_SERVER['REQUEST_URI'] . "<br />";

echo "PHP_AUTH_DIGEST : " . $_SERVER['PHP_AUTH_DIGEST'] . "<br />";

echo "PHP_AUTH_USER : " . $_SERVER['PHP_AUTH_USER'] . "<br />";

echo "PHP_AUTH_PW : " . $_SERVER['PHP_AUTH_PW'] . "<br />";

echo "AUTH_TYPE : " . $_SERVER['AUTH_TYPE'] . "<br />";

echo "PATH_INFO : " . $_SERVER['PATH_INFO'] . "<br />";

echo "ORIG_PATH_INFO : " . $_SERVER['ORIG_PATH_INFO'] . "<br />";



?>



By : @44it



[EDITOR'S NOTE: Removed external link. EDITED BY: thiago]

kamazee at gmail dot com

6 years ago


$_SERVER['DOCUMENT_ROOT'] in different environments may has trailing slash or not, so be careful when including files from $_SERVER['DOCUMENT_ROOT']:
<?php
include(dirname($_SERVER['DOCUMENT_ROOT']) . DIRECTORY_SEPARATOR . 'file.php')
?>

Gary Mathis

1 year ago


The best way to see all variables within the $_SERVER array, that I have found, is as follows:

<?php
foreach($_SERVER as $key => $value){
echo '$_SERVER["'.$key.'"] = '.$value."<br />";
}
?>

This will tell you which ones are available on your server and what they are set to.

Megan Mickelson

6 years ago


It makes sense to want to paste the $_SERVER['REQUEST_URI'] on to a page (like on a footer), but be sure to clean it up first with htmlspecialchars() otherwise it poses a cross-site scripting vulnerability.



htmlspecialchars($_SERVER['REQUEST_URI']);



e.g.

http://www.example.com/foo?<script>...



becomes

http://www.example.com/foo?&lt;script&gt;...

Dean Jenkins

3 years ago


To get the name and web path of the current script

<?php
$scriptname=end(explode('/',$_SERVER['PHP_SELF']));
$scriptpath=str_replace($scriptname,'',$_SERVER['PHP_SELF']);
?>

sendmailz1987 at gmail dot com

2 years ago


Example:

$current = $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];

echo $current;

will output the root to the current page, including url and document root, something like:

example.com/users/profile.php

sabas88 at gmail dot com

3 years ago


I'm the author of this note
http://www.php.net/manual/en/reserved.variables.server.php#100881

I optimized since that note the path function, basically added detection of windows slashes and a partial option

Now is released on github

https://github.com/sabas/magicpath

emailfire at gmail dot com

7 years ago


REQUEST_URI is useful, but if you want to get just the file name use:

<?php
$this_page = basename($_SERVER['REQUEST_URI']);
if (strpos($this_page, "?") !== false) $this_page = reset(explode("?", $this_page));
?>

Taomyn

7 years ago


'HTTPS'
    Set to a non-empty value if the script was queried through the HTTPS protocol. Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol. 

Does the same for IIS7 running PHP as a Fast-CGI application.

dragon[dot]dionysius[at]gmail[dot]com

7 years ago


I've updated the function of my previous poster and putted it into my class.

<?php
    /**
     * Checking HTTP-Header for language
     * needed for various system classes
     * 
     * @return    boolean    true/false 
     */
    private function _checkClientLanguage()
    {    
        $langcode = (!empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '';
        $langcode = (!empty($langcode)) ? explode(";", $langcode) : $langcode;
        $langcode = (!empty($langcode['0'])) ? explode(",", $langcode['0']) : $langcode;
        $langcode = (!empty($langcode['0'])) ? explode("-", $langcode['0']) : $langcode;
        return $langcode['0'];
    }
?>

Please note, you have to check additional the result! Because the header may be missing or another possible thing, it is malformed. So check the result with a list with languages you support and perhaps you have to load a default language.

<?php

// if result isn't one of my defined languages
            if(!in_array($lang, $language_list)) {
                $lang = $language_default; // load default

?>

My HTTP_ACCEPT_LANGUAGE string:
FF3: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 
IE7: de-ch

So, take care of it!

Andrew B

7 years ago


Please note on Windows/IIS - the variable 'USER_AUTH' will return the username/identity of the user accessing the page, i.e. if anonymous access is off, you would normally get back "$domain\$username".

Anonymous

5 years ago


Use Strict-Transport-Security (STS) to force the use of SSL.
<?php
$use_sts = TRUE;

if ($use_sts && isset($_SERVER['HTTPS']) {
  header('Strict-Transport-Security: max-age=500');
} elseif ($use_sts && !isset($_SERVER['HTTPS']) {
  header('Status-Code: 301');
  header('Location: https://'.$_SERVER["HTTP_HOST"].$_SERVER['REQUEST_URI']);
}
?>

info at salientdigital dot com

2 years ago


A word of caution...

If you have some PHP code or file that is included from within a web request via Apache + PHP, as well as from a command line script, be very careful to inspect the keys inside of $_SERVER that you intend to use.

The keys and values are different, and in fact, it also matters if you are running as your_user, sudo php from your_user, or from root. 

For example, I just found out that $_SERVER['PWD'] is not available if you run from the command line via sudo (PHP 5.2x, CentOS, YMMV).

To make a test, create a file called server.php with the following content:

<?php
var_dump($_SERVER);
?>

Then from the commandline:
your_account/dir #$ php server.php > your_account_server.txt
your_account/dir #$ sudo php server.php > your_account_sudo_server.txt
your_account/dir #$ sudo bash
root/dir #$ php server.php > root_server.txt

Now you can diff the output of each of these three files and inspect against what you get when viewing the $_SERVER section of phpinfo() from a web request. You may find the differences to be quite striking, in all, four different ways to run the same PHP file!

LOL

4 years ago


For an hosting that use windows I have used this script to make REQUEST_URI to be correctly setted on IIS
<?php
function request_URI() {
    if(!isset($_SERVER['REQUEST_URI'])) {
        $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'];
        if($_SERVER['QUERY_STRING']) {
            $_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
        }
    }
    return $_SERVER['REQUEST_URI'];
}
$_SERVER['REQUEST_URI'] = request_URI();
?>

Rodolfo Gonzalez Costa Rica

2 years ago


This is a short script to know what values are defined 

<?php 

echo "<textarea>";
print_r($_SERVER);
echo "</textarea>";

?>

softontherocks at gmail dot com

1 year ago


I want to share with you a full function to get the remote IP that calls a PHP url using the $_SERVER array.

function getRealIP(){
 if( $_SERVER['HTTP_X_FORWARDED_FOR'] != '' ){
  $client_ip =
   ( !empty($_SERVER['REMOTE_ADDR']) ) ?
    $_SERVER['REMOTE_ADDR']
   :
            ( ( !empty($_ENV['REMOTE_ADDR']) ) ?
    $_ENV['REMOTE_ADDR']
    :
    "unknown" );
 
  $entries = split('[, ]', $_SERVER['HTTP_X_FORWARDED_FOR']);
 
  reset($entries);
  while (list(, $entry) = each($entries)){
   $entry = trim($entry);
   if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) ){
    // http://www.faqs.org/rfcs/rfc1918.html
    $private_ip = array(
     '/^0\./',
     '/^127\.0\.0\.1/',
     '/^192\.168\..*/',
     '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/',
     '/^10\..*/');
 
    $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
 
    if ($client_ip != $found_ip){
     $client_ip = $found_ip;
     break;
    }
   }
  }
 } else {
  $client_ip =
   ( !empty($_SERVER['REMOTE_ADDR']) ) ?
    $_SERVER['REMOTE_ADDR']
   :
    ( ( !empty($_ENV['REMOTE_ADDR']) ) ?
    $_ENV['REMOTE_ADDR']
    :
    "unknown" );
 }
 return $client_ip;
}

This function was found in http://softontherocks.blogspot.com/2013/07/obtener-la-direccion-ip-que-solicita.html

derniereclasse at gmail dot com

2 years ago


About $_SERVER['REQUEST_METHOD']
return one of this values : 
 'GET', 'HEAD', 'POST', 'PUT'.  
but can also return :
'OPTION'

Thomas Urban

7 years ago


Maybe you're missing information on $_SERVER['CONTENT_TYPE'] or $_SERVER['CONTENT_LENGTH'] as I did. On POST-requests these are available in addition to those listed above.

$_SERVER

$HTTP_SERVER_VARS [removed]

Description

Indices

Changelog

Examples

Notes

See Also

User Contributed Notes