SERVER_NAME:

  • The name of the server host under which the current script is executing.
  • If the script is running on a virtual host, this will be the value defined for that virtual host.
  • SERVER_NAME comes from the server’s VirtualHost definition and is therefore considered more reliable.
  • It can, however, also be manipulated from outside under certain conditions related to how your web server is set up.

HTTP_HOST:

  • Contents of the Host: header from the current request, if there is one.
  • HTTP_HOST is the target host sent by the client. It can be manipulated freely by the user.
  • It’s no problem to send a request to your site asking for a HTTP_HOST
  • HTTP_HOST vs SERVER_NAME:
  • Imagine your web server has a default host set up as follows:
  • UseCanonicalName Off
    ServerName example.org
  • The ServerName directive might seem like the only thing that affects $_SERVER[‘SERVER_NAME’], but is this a safe assumption?
  • To determine what affect the Host header has, if any, create an index.php in the document root of the default host with the following code
Php Code
<?php  
echo "HTTP_HOST [{$_SERVER['HTTP_HOST']}]\n";
echo "SERVER_NAME [{$_SERVER['SERVER_NAME']}]";
?>

You can test several different values for Host easily enough with telnet:

Php Code
telnet example.org 80
[ad type=”banner”]

Here are a few tests and corresponding results. For each test, we show the exact request and the content of the response.

1. No Host, HTTP/1.0

Request:

Php Code
GET / HTTP/1.0

Result:

Php Code
HTTP_HOST []
SERVER_NAME [example.org]

Empty Host, HTTP/1.0

Request:

Php Code
GET / HTTP/1.0
Host:

Result:

Php Code
HTTP_HOST []
SERVER_NAME []

With an empty Host, SERVER_NAME is empty.

Empty Host, HTTP/1.1

Request:

Php Code
 GET / HTTP/1.1
Host:

Result:

Php Code
HTTP_HOST []
SERVER_NAME []

Request:

Php code
GET / HTTP/1.1
Host: <script>alert('XSS')</script>

Result:

Php Code
HTTP_HOST [<script>alert('XSS')</script>]
SERVER_NAME [<script>alert('XSS')</script>]
[ad type=”banner”]

With a non-empty Host, SERVER_NAME is the HTML-escaped host value.

SQL Injection Host, HTTP/1.1

Request:

Php Code
GET / HTTP/1.1
Host: chris' --

Result:

Php Code
HTTP_HOST [chris' --] 
SERVER_NAME [chris' --]
  • As you can see by the results Under certain circumstances, the Host header can affect $_SERVER[‘SERVER_NAME’].
  • The ServerName directive is used when the Host header is absent, and apparently $_SERVER[‘SERVER_NAME’] is escaped with something like htmlentities().
  • Sometimes, it’s hard to tell whether a particular element in $_SERVER can be affected by the HTTP request (ask Sean about PHP_SELF)
  • so I find it easier to treat everything from $_SERVER just as if it were something like $_GET or $_POST.
  • SERVER_NAME instead of HTTP_HOST
  • We found a problem with our configuration (nginx and php-fpm).
  • When you define domain in your plugin you are using SERVER_NAME as its value.
  • SERVER_NAME with this configuration is not the same as HTTP_HOST, so the plugin is not working.
  • We have changed it to get the SERVER_NAME from HTTP_HOST that it’s what the user is really loading in its browser.
  • With this line in wp-config.php it’s working well
Php Code
$_SERVER['SERVER_NAME'] = $_SERVER['HTTP_HOST'];

Get host name or server name in PHP:

  • $_SERVER[‘HTTP_HOST’] give you host infomration obtained from the HTTP request header and this is what the client actually used as “target host” of the request.
  • $_SERVER[‘SERVER_NAME’] normally returns the same result as $_SERVER[‘HTTP_HOST’], but is defined in server config.
  • However, if you server is running behind the proxy, then should use $_SERVER[‘HTTP_X_FORWARDED_HOST’] and
Php Code
$_SERVER['HTTP_X_FORWARDED_SERVER'] in place of $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME']. 
Php Code
$host_name = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ?  
$_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER("HTTP_HOST");
$server_name = isset($_SERVER['HTTP_X_FORWARDED_SERVER']) ?
$_SERVER['HTTP_X_FORWARDED_SERVER'] : $_SERVER("SERVER_NAME");
[ad type=”banner”]

Categorized in: