1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:25 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Can DOCUMENT ROOT be hacked?

in $_SERVER

         

idfer

4:43 pm on Oct 13, 2009 (gmt 0)

10+ Year Member



I know HTTP_REFERER, HTTP_USER_AGENT, QUERY_STRING and REQUEST_URI in $_SERVER all contain data that can be manipulated by the user, but what about the other values in $_SERVER? Assuming i've got register_globals off, if i use statements like:

include $_SERVER['DOCUMENT_ROOT'].'/myincludefile';

Can a hacker override that variable somehow and redirect my includes to their own server? My intuition says no, but the question does keep me up some nights. :)

dreamcatcher

6:29 am on Oct 24, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi idfer,

No, this should be pretty secure. It was why superglobals were introduced. So, the system knows the data is coming from the server its running on. Its always going to default to the value on your server and cannot be overwritten.

dc

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:25 pm Apr 28, 2026