tags:

views:

124

answers:

5
+1  Q: 

What's the best way to identify subdomains by PHP dynamically?

I have configured the wildcard DNS of *.mydomain.com and it's all working properly. My question is which of these should I rely on identifying client subdomain requests?

  1. $_SERVER["HTTP_HOST"]
  2. $_SERVER["SERVER_NAME"]
  3. $_SERVER["SCRIPT_URI"]

They all seem to contain the subdomain part I want but after reading this article by Chris: http://shiflett.org/blog/2006/mar/server-name-versus-http-host, I'm lost at sea and there appears to be no safe way to do this?

Any idea on accomplishing this task securely? Which approach would you prefer?

Update: sorry, I meant this post: http://shiflett.org/blog/2006/mar/server-name-versus-http-host

+1  A: 

I'd suggest that you get the current page url, then use a regular expression to check. Be sure to ignore things link www, www2, etc.

sjobe  2010-04-11 12:44:28
A:  
$subdomain = explode('.', $_SERVER['HTTP_HOST'], -2);

Returns an array always, and can be empty if there is no sub domain. You should also make sure to notice that this could return www as an array value and that would link to your root domain anyway.

Mark Tomlin  2010-04-11 13:05:31
A: 

You can use any but most use HTTP_HOST.

You don't have to worry about 'security' here since you allow a wildcard for your subdomains. You won't be able to stop a user from entering a 'threatening' subdomain and sending a request to your server.

If you want to disallow certain subdomains then you have several options but thats a different question.

zaf  2010-04-11 13:06:42
Funny logic. "Don't worry as you can't prevent an attack anyway". What if he can?
Col. Shrapnel  2010-04-11 14:23:18
Am I missing some form of attack that exploits the subdomains part of the URL even if the code is just 'identifying' the subdomain?
zaf  2010-04-11 14:48:19
@Col. Shrapnel: You cannot prevent attacks. You can only prevent that these attacks are successful.
Gumbo  2010-04-11 15:11:03
@Gumbo sure. but I think "you don't have to worry" is wrong conclusion anyway :)
Col. Shrapnel  2010-04-11 15:56:54
A: 

Too much talk of such a little problem.
Everyone says its dangerous but noone bother to write a solution, as simple as

$mydomain='example.com';
$subdomain="";
$matches=array();

$pat='!([a-z0-9_]+)\.'.preg_quote($mydomain).'$!i';
if (preg_match($pat,$_SERVER['HTTP_HOST'],$matches)) $subdomain=$matches[1];
Col. Shrapnel  2010-04-11 14:18:11
+1  A: 

HTTP_HOST comes directly from the HOST header. Apache does not clean it up in any way. Even for non-wildcard setups, your first virtualhost in your config will receive a request for a HOST header that doesn't match any of your configured vhosts, so you have to be careful with it. Treat it like any other user data. Filter it appropriately before using it.

Rasmus  2010-04-11 15:07:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases