php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #70809 Prevent usage of $_SERVER (performance penalty)
Submitted: 2015-10-29 08:40 UTC Modified: -
From: raat1979 at gmail dot com Assigned:
Status: Open Package: Apache related
PHP Version: Next Minor Version OS: webserver
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
39 + 7 = ?
Subscribe to this entry?

 
 [2015-10-29 08:40 UTC] raat1979 at gmail dot com 
Description:
------------
PHP can be configured to have the $_SERVER variable be created on first access.
The reason for this is to increase performance.

Unfortunately there is no alternative for many of the $_SERVER values

It's possible to use apache_request_headers() to get the HTTP headers unfortunately this function does not return the request line.

Other portions of the $_SERVER related to HTTP/hosing variable should also be covered by functions but the most needy would certainly be the request line.

Test script:
---------------
It would be of benefit to have a function apache_request_line($parse=false) that would return the Request line as send by the client

This would greatly reduce the need of using the $_SERVER variable and its performance impact.

Another option would be to add an optional argument to apache_request_headers($requestline=APACHE_REQUEST_NONE) to include the request line
APACHE_REQUEST_NONE=0  : don't add anything (default/original behavior)
APACHE_REQUEST_LINE=1  : request string on index 0
APACHE_REQUEST_PARTS=2 : request string parts on index 1,2 and 3


Expected result:
----------------
$d= apache_request_line(/* $parse= */ true);
Expected result:

Array('Method'=>'GET',
      'Path'=>'/index.php',
      'Protocol'=>'HTTP/1.1'
     )
====================================================================
$d= apache_request_line(/* $parse = */ $false);
Expected result:
'GET /index.php HTTP/1.1'
====================================================================
$d= apache_request_headers(/* $requestline = */ APACHE_REQUEST_LINE);
Expected result:
Array(0=>'GET /index.php HTTP/1.1',
     'Host'=>'www.example.org'
     ...
     )
====================================================================
$d= apache_request_headers(/* $requestline = */ APACHE_REQUEST_ARRAY);
Expected result:
Array(1=>'GET', 
      2=>'/index.php', 
      3=>'HTTP/1.1',
     'Host'=>'www.example.org'
     ...
     )
====================================================================
$d= apache_request_headers(APACHE_REQUEST_LINE | APACHE_REQUEST_ARRAY);
Expected result:
Array(0=>'GET /index.php HTTP/1.1',
      1=>'GET', 
      2=>'/index.php', 
      3=>'HTTP/1.1',
     'Host'=>'www.example.org'
     ...
     )
====================================================================
$d= apache_request_headers(/* APACHE_REQUEST_NONE */);
Expected result (current implementation):
Array('Host'=>'www.example.org'
     ...
     )
====================================================================

I would not expect any decoding of the URI query of any kind it should be passed as-is (any decoding can be done with the appropriate functions manually)
There are plenty of functions that implement this.


Actual result:
--------------
At the moment we need to populate the full $_SERVER variable with a lot of unneeded stuff just to get the request URI.

Patches

Add a Patch

Pull Requests

Add a Pull Request
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 08:02:42 2024 UTC