Comments on: PHPHelp with CGI Enviroment http://healyourchurchwebsite.com/2002/07/27/phphelp-with-cgi-enviroment/ Teaching, rebuking, correcting & training in righteous web design. Mon, 04 Jan 2010 07:25:04 +0000 http://wordpress.org/?v=2.9 hourly 1 By: Keith http://healyourchurchwebsite.com/2002/07/27/phphelp-with-cgi-enviroment/comment-page-1/#comment-181 Keith Sun, 28 Jul 2002 05:36:00 +0000 http://healyourchurchwebsite.com/2002/07/27/phphelp-with-cgi-enviroment#comment-181 I don't know why people insist on using getenv() for variables that are already available to you. <blockquote>Why do I use getenv() instead of looking into the GLOBALS array for these values? Because anyone can spoof those values in the globals array. We cannot trust these same values when they come from the GLOBALS array, but getenv() retrieves the values directly from the environment. Many of these values are important to maintaining security on the web, such as REMOTE_HOST (for access to user's IP address) or PATH_INFO (sometimes carrying crucial information to scripts).</blockquote> Yeah, I guess... just use $_SERVER, $_ENV, or $HTTP_ENV_VARS, which has always been available. Does getenv involve a system call? I don’t know why people insist on using getenv() for variables that are already available to you.

Why do I use getenv() instead of looking into the GLOBALS array for these values? Because anyone can spoof those values in the globals array. We cannot trust these same values when they come from the GLOBALS array, but getenv() retrieves the values directly from the environment. Many of these values are important to maintaining security on the web, such as REMOTE_HOST (for access to user’s IP address) or PATH_INFO (sometimes carrying crucial information to scripts).

Yeah, I guess… just use $_SERVER, $_ENV, or $HTTP_ENV_VARS, which has always been available. Does getenv involve a system call?

]]>