PHP_SELF and HTTP_HOST producing weird results

hey guys,

see attached image for what I’m questioning. I have traffic analysis code behind all of my pages. and a file that is ““included”” contains this code, among other lines:

$host = $_SERVER['HTTP_HOST'];
$page = isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : '';

the issue is that, sometimes when I view the log page, the PHP_SELF info that was captured comes through in all capital letters. and, sometimes too, in another bout of weirdness, the information is captured as ““mail.domain.com””. has anyone seen this before!? why would this happen? I’m guessing it’s a result of the endless amount of bot software running rampant on the internet, sourced from all different underground people the world over?

thanks.

Adam

weird_transacting_by_PHP1830×544 208 KB

Do not use $_SERVER[‘PHP_SELF’]. It is vulnerable to an XSS attack.

well I appreciate that, ben. but you didn’t answer a single thing I asked in this thread. LOL. care to expand on your one sentence answer? =)

and I’m not too worried about any attacks really, as my contingency measures and backups are extremely unique. more than likely I will be hacked at some point in the future, but that doesn’t bother me too much. The money I bring in is not dependent on the sites that I manage being up and running or not.

Well, you might want to read this link that explains a little about HTTP_HOST. HTTP_HOST
One thing you should remember is that robots are quite often ran on local servers. And, can be a WAMP server on a pc or laptop somewhere. On these system, you can set the headers to be just about anything you want. Also, sometimes they are on a local lan system and this can also alter the IP addresses in odd ways. As far as the PHP_SELF goes, you already know the page you are on, so just use that to save in the database.

And, what Benanamen was talking about is using the PHP_SELF in a link on the page. You should not use that in links to other pages. Here is an explanation about it: XSS-Vulnerability

Lastly, when you decode IP addresses and domain names, there are ways to hide them. You can check for IVP4/IVP6 values and look for sub-net’s and proxies to get the real IP of the visitor. Here is a code sample from someone that might work well for you. Get-Real-IP

Hope this helps explain it further for you.

Ernie,

I’m not sure anything you said made sense to me, although I understand everything you said in your post. Do you understand what my question is? It’s not so much that I’m bothered by bots running all over the internet sourced from all over the world and from many different organizations, but rather wanted an understanding of why PHP_SELF appears as different strings or capitalized sometimes. Does that make sense? Did you answer that in your post here? Here’s examples of everything I’ve seen, as the information printed by the global on the site I reference in my first post:

=> www.adamevanovich.com
=> WWW.ADAMEVANOVICH.COM
=> adamevanovich.com
=> ADAMEVANOVICH.COM
=> mail.adamevanovich.com

thanks Ernie.

Well, are all of these posted from the same system? Or did you test it from different systems?

For robots, you can add a robots file to stop them. This will not stop the hacker robots, but, will stop many of the common ones such as Google.

If you are testing these from different systems, it is most likely that they have different host names set up.
Also, it may be a caching issue on the server. Or even a browser cache issue. Are you testing with several different systems?

Sorry if I did not help you much with your main question.

Well ernie,

As I stated before it’s just a curiosity issue. The global variable I am talking about returns all sorts of strings in terms of the web page that’s being visited as per my previous post. So as far as it being a browser caching issue, I seriously doubt that’s the case because I dump all the temporary junk all the time from chrome and Firefox when I view this report page and these records in the traffic law always show up like this all the time. Some more or less what I’m saying is that just out of curiosity and based off of everything you said, I’m guessing that the reason the same string appears in all different forms after a transaction comes through and the PHP code records the website visit, the server that’s visiting the page has all sorts of different configurations. Based on what you said that’s the only thing that makes sense at this point and if you want to view the page that I’m talking about take a look at it, it’s here:

www. adamevanovich.com/r/r.php

Heading to bed shortly… But, went to your site and it does have my ISP correctly listed.
But, it has your domain name for the “visitor domain name”.

I know that Ernie. that is a mistake by me in the code, but I know what is what, so it is irrelevant. the fact of the matter is, that the VISITOR DOMAIN NAME is being printed by the database which gets its value from PHP_SELF. so my question still stands.

How about posting the code so we can see what you’re working with.

sure thing, ben. here ya go:

CAPTURE CODE:

<?php

$dbHost = "ip";
$dbName= "dbName";
$dbUsername = "username";
$dbPassword = "pw";
$ip = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$host = $_SERVER['HTTP_HOST'];
$page = isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : '';
date_default_timezone_set('America/Chicago'); //change server time zone to UTC-600 (Chicago, IL time)
$date = date("Y/m/d");
$time = date("H:i:s");

	mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);
	$conn = new mysqli($dbHost, $dbUsername, $dbPassword, $dbName);

	$stmt = $conn->prepare("INSERT INTO tblTraffic (ip, host, page, date, time) 
						  	VALUES (?, ?, ?, ?, ?)");
	$stmt->bind_param("sssss", $ip, $host, $page, $date, $time);
	$stmt->execute();
	$stmt->close();
	$conn->close();

?>

REPORT CODE:

$sql = mysqli_query($conn, "SELECT ip
                                     , host 
                                     , page
                                     , DATE_FORMAT(date, '%m/%d/%y') as date
                                     , TIME_FORMAT(time, '%T') as time
                                FROM tblTraffic'
                                ORDER BY date DESC, time DESC"); 

<?php 
    // printing table rows
    while($row = mysqli_fetch_row($sql)) {
        echo '<tr>';
        $index = 0;
        foreach ($row as $key => $col) {
            if ($index > 0)
                { echo "<td>$col</td>"; }
            $index++;
        }
    		echo '</tr>';
    }
    $conn->close(); 
?>

Here is the first problem with your post. PHP_SELF is the filename. The data you are getting in caps is from $_SERVER[‘HTTP_HOST’]

$_SERVER[‘HTTP_HOST’] is based on the request from the client.

You can test it here. Just enter your domain in caps or whatever and view the Request Header response shown
https://websniffer.cc/

yes you’re right, and I put in a couple of test runs on that site, typed in my domain and it returned the same thing. so if I type the domain in, in all CAPS, it returns the HEADER in all caps. that makes perfect sense. I’m guess that’s what you wanted me to see? I guess that’s good, but that still doesn’t tell me what’s going on with their server, which is probably the most important in part of this process.

If you want more info on what is making the request, capture the User Agent and Browser info. That may give you the answer you want.

<?php
echo $_SERVER['HTTP_USER_AGENT'] . "\n\n";

$browser = get_browser(null, true);
print_r($browser);

it’s not that I care too much, ben. I know that bots are all over the place and that they come from all sorts of sources. I mean I look this crap up all the time, and I’ve seen stuff render the page from every country in the world and virtually from any type of org in the world. and my only suspicion is that, simply because of the hatred and greed that runs the world, people all over the world are spying on everyone else to try and find out who’s profiting from what. wouldn’t you think that would be the case?

I agree with that comment! But, also since media now runs the world, everyone wants to know everything about you. Take Facebook for example. I keep away of that place! Ha!

PS: Ben’s name is Kevin! Ha!

everyone wants to know EVERYTHING about ME? why would you think that!? What do they care about me? I live in a small room and no one knows I exist! LOL. Except you guys here, perhaps…

Regarding your comment too Ernie, I think what you mean by ““everyone wants to know everything about you””, is really like ““people have access to so much information and they can’t help themselves, they’re literally freaking insane””. =)