切换语言:
English
German
Spanish
French
Italian
Japanese
Brazilian Portuguese
Russian
Turkish
Ukrainian
Chinese (Simplified)
Other
预定义变量
PHP 提供了预定义变量,这些变量表述为外部变量、内置环境变量以及有关执行环境的其他信息,例如在
CLI 环境中传递给脚本的参数的数量和值。
目录超全局变量 — 在全部作用域中始终可用的内置变量$GLOBALS — 引用全局作用域中可用的全部变量$_SERVER — 服务器和执行环境信息$_GET — HTTP GET 变量$_POST — HTTP POST 变量$_FILES — HTTP 文件上传变量$_REQUEST — HTTP Request 变量$_SESSION — Session 变量$_ENV — 环境变量$_COOKIE — HTTP Cookies$php_errormsg — 前一个错误信息$http_response_header — HTTP 响应头$argc — 传递给脚本的参数数目$argv — 传递给脚本的参数数组
发现了问题?
了解如何改进此页面
•
提交拉取请求
•
报告一个错误
+添加备注
用户贡献的备注 16 notes
up
down
31
New York PHP ¶20 years ago
Warning: $_SERVER['PHP_SELF'] can include arbitrary user input. The documentation should be updated to reflect this.The request "http://example.com/info.php/attack%20here" will run /info.php, but in Apache $_SERVER['PHP_SELF'] will equal "/info.php/attack here". This is a feature, but it means that PHP_SELF must be treated as user input.The attack string could contain urlencoded HTML and JavaScript (cross-site scripting) or it could contain urlencoded linebreaks (HTTP response-splitting).The use of $_SERVER['SCRIPT_NAME'] is recommended instead.
up
down
13
danvasile at pentest dot ro ¶18 years ago
If you have problems with $_SERVER['HTTPS'], especially if it returns no values at all you should check the results of phpinfo(). It might not be listed at all. Here is a solution to check and change, if necessary, to ssl/https that will work in all cases:Of course, this should be done before any html tag or php echo/print.
up
down
11
Nicolae Namolovan ¶17 years ago
SECURITY RISK !Never ever trust the values that comes from $_SERVER.HTTP_X_FORWARDED, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_FORWARDED, etc.. can be spoofed !To get the ip of user, use only $_SERVER['REMOTE_ADDR'], otherwise the 'ip' of user can be easily changed by sending a HTTP_X_* header, so user can escape a ban or spoof a trusted ip.Of course this is well know, but I don't see it mentioned in these notes..If you use the ip only for tracking (not for any security features like banning or allow access to something by ip), you can also use HTTP_X_FORWARDED to get user's ip what are behind proxy.
up
down
13
nathan ¶19 years ago
Also on using IPs to look up country & city, note that what you get might not be entirely accurate. If their ISP is based in a different city or province/state, the IPs may be owned by the head office, and used across several areas. You also have rarer situations where they might be SSHed into another server, on the road, at work, at a friend's... It's a nice idea, but as the example code shows, it should only be used to set defaults.
up
down
9
Aardvark ¶19 years ago
$_GET may not handle query string parameter values which include escaped Unicode values resulting from applying the JavaScript "escape" function to a Unicode string.To handle this the query parameter value can be obtained using a function such as:function getQueryParameter ($strParam) { $aParamList = explode('&', $_SERVER['QUERY_STRING']); $i = 0; while ($i < count($aParamList)) { $aParam = split('=', $aParamList[$i]); if ($strParam == $aParam[0]) { return $aParam[1]; } } return "";}or by directly building an array or query string values and then processing the parameter string using a function such as the "unescape" function which can be found at http://www.kanolife.com/escape/2006/03/unicode-url-escapes-in-php.html (or http://www.kanolife.com/escape/ for related info).
up
down
9
jameslporter at gmail dot com ¶19 years ago
Refer to CanonicalName if you are not getting the ServerName in the $_SERVER[SERVER_NAME] variable....This was a pain to figure out for me...now it works as expected by turning canonical naming on.http://www.apacheref.com/ref/http_core/UseCanonicalName.html
up
down
7
Joe Marty ¶18 years ago
I think it is very important to note that PHP will automatically replace dots ('.') AND spaces (' ') with underscores ('_') in any incoming POST or GET (or REQUEST) variables.This page notes the dot replacement, but not the space replacement:http://us2.php.net/manual/en/language.variables.external.phpThe reason is that '.' and ' ' are not valid characters to use in a variable name. This is confusing to many people, because most people use the format $_POST['name'] to access these values. In this case, the name is not used as a variable name but as an array index, in which those characters are valid.However, if the register_globals directive is set, these names must be used as variable names. As of now, PHP converts the names for these variables before inserting them into the external variable arrays, unfortunately - rather than leaving them as they are for the arrays and changing the names only for the variables set by register_globals.If you want to use:The value you will get in your POST array, for isntance would be:$_POST['title_for_page3_php']
up
down
7
mrnopersonality at yahoo dot com ¶20 years ago
Nothing about the message-body ...You can get cookies, session variables, headers, the request-uri , the request method, etc but not the message body. You may want it sometimes when your page is to be requested with the POST method.Maybe they should have mentioned $HTTP_RAW_POST_DATA or php://stdin
up
down
6
Gregory Boshoff ¶19 years ago
$_SERVER['QUERY_STRING'] Does not contain XHTML 1.1 compliant ampersands i.e. &So you will need to do something like this if you are to use $_SERVER['QUERY_STRING'] in URL's.// XHTML 1.1 compliant ampersands $_SERVER['QUERY_STRING'] = str_replace(array('&', '&'), array('&', '&'), $_SERVER['QUERY_STRING']);
up
down
7
youdontmeanmuch [at] yahoo.com ¶21 years ago
Be carful when using $_SERVER['DOCUMENT_ROOT']; in your applications where you want to distribute them to other people with different server types. It isnt always supported by the webserver (IIS).
up
down
6
Anonymous ¶19 years ago
I was unable to convince my hosting company to change their installation of PHP and therefore had to find my own way to computer $_SERVER["DOCUMENT_ROOT"]. I eventually settled on the following, which is a combination of earlier notes (with some typos corrected):
up
down
7
drew dot griffiths at clare dot net ¶19 years ago
Re: You can take advantage of 404 error to an usable redirection using REQUEST_URI ...Whilst this is effective, a line in the .htaccess such as:RewriteEngine OnRewriteRule ^profiles/([A-Za-z0-9-]+) showprofile.php?profile=$1 [L,NC,QSA]will throw the requested profile in a variable $profile to the showprofile.php page. You can further enhance the url (e.g http://servername/profiles/Jerry/homeaddress/index.htm) and the second variable value homeaddress becomes available in $url_array[3] when used below $url_array=explode("/",$_SERVER['REQUEST_URI']); Hope this helps - Works well for meDrew
up
down
5
Ben XO ¶19 years ago
So you have an application in your web space, with a URL such as this:http://
up
down
5
Gregory Boshoff ¶20 years ago
The Environment variable $ENV is useful for coding portable platform specific application constants. // Define a Windows or else Linux root directory path$_ENV['OS'] == 'Windows_NT' ? $path = 'L:\\www\\' : $path = ' /var/www/';define('PATH', $path);echo PATH;
up
down
3
mfyahya at gmail dot com ¶20 years ago
If you use Apache's redirection features for custom error pages or whatever, the following Apache's REDIRECT variables are also available in $_SERVER:$_SERVER['REDIRECT_UNIQUE_ID]' $_SERVER['REDIRECT_SCRIPT_URL]' $_SERVER['REDIRECT_SCRIPT_URI]' $_SERVER['REDIRECT_SITE_ROOT]' $_SERVER['REDIRECT_SITE_HTMLROOT]' $_SERVER['REDIRECT_SITE_CGIROOT]' $_SERVER['REDIRECT_STATUS]' $_SERVER['REDIRECT_QUERY_STRING]' $_SERVER['REDIRECT_URL]' I'm not sure if this is a complete list though
up
down
-1
dusted at dusted dot dk ¶14 years ago
I use HTTP_X_FORWARDED_FOR because my webserver is behind a reverse proxy.This can be made secure:Configure the reverse proxy to block this field, and override it correctly.Configure the apache server to only accept incoming connections from the reverse proxy.
+添加备注