php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #40853 get_project_env() to get current URI, accessing script...
Submitted: 2007-03-19 13:52 UTC Modified: 2021-02-12 15:08 UTC
Votes:14
Avg. Score:4.8 ± 0.4
Reproduced:12 of 13 (92.3%)
Same Version:3 (25.0%)
Same OS:3 (25.0%)
From: ng4rrjanbiah at rediffmail dot com Assigned: cmb (profile)
Status: Wont fix Package: *General Issues
PHP Version: 5.2.1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ng4rrjanbiah at rediffmail dot com
New email:
PHP Version: OS:

 

 [2007-03-19 13:52 UTC] ng4rrjanbiah at rediffmail dot com
Description:
------------
Why needed:

There is no reliable mechanism in PHP to get the current executing script name. $_SERVER['SCRIPT_FILENAME'] and $_SERVER['argv'][0] are not reliable now; the variables are again prone to tampering (say for example, any including scripts could override these global vars for that file scope).
Implementation of this function might also solve XSS issues.

How this function has to be implemented:

If the current accessed URI is 'http://example.com/foo_project/foobar.php?php=1&ajax=0'
get_project_env() returns

'current_uri'              => 'http://example.com/foo_project/foobar.php?php=1&ajax=0',
'current_accessing_script' => '/foo_project/foobar.php',
'current_file'             => '/foo_project/foobar.php', //will be different if the file is included (__FILE__)
'current_include_depth'    => 0                          //will be different if it's included by the accessing script


What urged me to post this request:

I have the file architecture something like:

<?php
//foo.php
include './config.php';
include './license_check.php';
//blah... the rest of the proprietary codes.

?>

All files except config.php and say foobar.php will be encrypted for proprietary reasons. I need to check if the accessing script is 'foobar.php' inside the license_check.php; see, the user can still access to the config.php and can tamper the $_SERVER--which is the only way now to get the current accessing script, AFA*I*K.
In this case, if I have get_project_env(), it will return untampered current URI, accessing script, etc. This will be very helpful.

Thanks,
R. Rajesh Jeba Anbiah


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-20 14:31 UTC] ng4rrjanbiah at rediffmail dot com
The function name can be get_script_env() instead of get_project_env() (for clarity, if you want)


Thanks,
R. Rajesh Jeba Anbiah
 [2007-03-28 14:37 UTC] ng4rrjanbiah at rediffmail dot com
Is this request need any further input from me?

Thanks,
R. Rajesh Jeba Anbiah
 [2021-02-12 15:08 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: cmb
 [2021-02-12 15:08 UTC] cmb@php.net
You can define get_project_env() in userland according to your
needs, so I don't think this should be integrated into PHP.  If
you still feel this feature should be added, please pursue the RFC
process[1].

[1] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Mar 08 09:01:23 2021 UTC