php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70809 Prevent usage of $_SERVER (performance penalty)
Submitted: 2015-10-29 08:40 UTC Modified: -
From: raat1979 at gmail dot com Assigned:
Status: Open Package: Apache related
PHP Version: Next Minor Version OS: webserver
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: raat1979 at gmail dot com
New email:
PHP Version: OS:

 

 [2015-10-29 08:40 UTC] raat1979 at gmail dot com
Description:
------------
PHP can be configured to have the $_SERVER variable be created on first access.
The reason for this is to increase performance.

Unfortunately there is no alternative for many of the $_SERVER values

It's possible to use apache_request_headers() to get the HTTP headers unfortunately this function does not return the request line.

Other portions of the $_SERVER related to HTTP/hosing variable should also be covered by functions but the most needy would certainly be the request line.

Test script:
---------------
It would be of benefit to have a function apache_request_line($parse=false) that would return the Request line as send by the client

This would greatly reduce the need of using the $_SERVER variable and its performance impact.

Another option would be to add an optional argument to apache_request_headers($requestline=APACHE_REQUEST_NONE) to include the request line
APACHE_REQUEST_NONE=0  : don't add anything (default/original behavior)
APACHE_REQUEST_LINE=1  : request string on index 0
APACHE_REQUEST_PARTS=2 : request string parts on index 1,2 and 3


Expected result:
----------------
$d= apache_request_line(/* $parse= */ true);
Expected result:

Array('Method'=>'GET',
      'Path'=>'/index.php',
      'Protocol'=>'HTTP/1.1'
     )
====================================================================
$d= apache_request_line(/* $parse = */ $false);
Expected result:
'GET /index.php HTTP/1.1'
====================================================================
$d= apache_request_headers(/* $requestline = */ APACHE_REQUEST_LINE);
Expected result:
Array(0=>'GET /index.php HTTP/1.1',
     'Host'=>'www.example.org'
     ...
     )
====================================================================
$d= apache_request_headers(/* $requestline = */ APACHE_REQUEST_ARRAY);
Expected result:
Array(1=>'GET', 
      2=>'/index.php', 
      3=>'HTTP/1.1',
     'Host'=>'www.example.org'
     ...
     )
====================================================================
$d= apache_request_headers(APACHE_REQUEST_LINE | APACHE_REQUEST_ARRAY);
Expected result:
Array(0=>'GET /index.php HTTP/1.1',
      1=>'GET', 
      2=>'/index.php', 
      3=>'HTTP/1.1',
     'Host'=>'www.example.org'
     ...
     )
====================================================================
$d= apache_request_headers(/* APACHE_REQUEST_NONE */);
Expected result (current implementation):
Array('Host'=>'www.example.org'
     ...
     )
====================================================================

I would not expect any decoding of the URI query of any kind it should be passed as-is (any decoding can be done with the appropriate functions manually)
There are plenty of functions that implement this.


Actual result:
--------------
At the moment we need to populate the full $_SERVER variable with a lot of unneeded stuff just to get the request URI.

Patches

Pull Requests

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 20:01:27 2024 UTC