I need to use $_SERVER variables like SCRIPT_FILENAME for a mvc framework I'm writing. I'm wondering if a user can change things like that. Say the user requests index.php, can they fake the SCRIPT_FILENAME variable and rename it to something else that is being sent over?
A:
Assuming that the user doesn't have access to some way that re-directs the execution of the script through another script, or access to the server, I'd say no.
Also, if you're really worried about that, you can use __FILE__ which doesn't depend on user data.
known
2009-10-03 03:37:54
+3
A:
Some $_SERVER values are safe, others are not. The unsafe ones mostly start with HTTP_ and are the HTTP headers sent by the user's browser.
ceejayoz
2009-10-03 05:07:35