Pre-set variables

Before you even get control in your script, PHP has set a number of variables for you containing information about the server, the environment, and the request from your visitor. These are stored in the superglobal arrays for you, and you can get a fairly complete list of what is available by using the phpinfo() output.

The most commonly used variables, all of which are stored in the $_SERVER superglobal, are as follows:

Name

Value

HTTP_REFERER

If the user clicked a link to get the current page, this will contain the URL of the previous page they were at, or it will be empty if the user entered the URL directly.

HTTP_USER_AGENT

The name reported by the visitor's browser

PATH_INFO

Any data passed in the URL after the script name

PHP_SELF

The name of the current script

REQUEST_METHOD

Either GET or POST

QUERY_STRING

Includes everything after the question mark in a GET request

Note that you need to use HTTP_REFERER and not HTTP_REFERRER. This is one of the very few misspellings ever to make it into a web standard, but is now in widespread use and so too late to change.

Of those, HTTP_REFERER and HTTP_USER_AGENT are the most important, as you can use these two to tell an awful lot about your visitor and take the appropriate action. For example:

<?php
    if (isset($_SERVER['HTTP_REFERER'])) {
        print "The page you were on previously was {$_SERVER['HTTP_REFERER']}<br />";
    } else {
        print "You didn't click any links to get here<br />";
    }
?>
<a href="refer.php">Click me!</a>

When that page is loaded up in your browser by typing the URL in by hand, the "You didn't click any links to get here" text is shown because HTTP_REFERER has not been set. However, if once the page is loaded you click the "Click me!" link, the page will reload itself and this time HTTP_REFERER will be set and the new message should appear. Although it can be spoofed, HTTP_REFERER is generally a good way to make sure a visitor came from a certain page - whether you want to use that to say, "you can't download my files because you came from another site", or "welcome, Google users!" is down to you, but there is a lot of scope for ideas.

The PATH_INFO element in $_SERVER is particularly interesting, because it allows you to grab directory information specified after the script. Consider this script:

<?php
    if (isset($_SERVER['PATH_INFO'])) {
        print "The page you requested was {$_SERVER['PATH_INFO']}<br />";
    } else {
        print "You didn't request a page<br />";
    }
?>

If you save that as pathinfo.php in your document root, try loading it up in your web browser - you should see "you didn't request a page". Now, try editing the URL so that after pathinfo.php is a filename, with as much directory information as you want. For example: www.yoursite.com/pathinfo.php/path/to/some/file.txt. Now when you load the page, you should see that extra path information printed out. This is commonly used in online filesystems, as it means that the URLs required to get to files are just the name of the script followed by the filename wanted.

Author's Note: Remember that the referrer value is set by the web browser, which means it can easily be faked. One common example of this is to edit the "hosts" file of the computer (/etc/hosts in Unix; c:\windows\system32\drivers\etc\hosts in Windows) so that the current computer is used as www.example.com. Then, J. Evil Hacker loads a simple page on their computer with a link to your "secure" script, and his browser will report that he came from example.com. As a result, you should never rely on HTTP_REFERER to be set, valid, or truthful, but it is a good start.

 

Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: References >>

Previous chapter: Superglobals

Jump to:

 

Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.