$_SERVER['REQUEST_URI'] ... Server or header generated?
 

Hello all,

I use a database instead of sessions to keep information about a user. One of my columns tracks the current page that the user is on, and it is simply an update to the table setting the value with $_SERVER['REQUEST_URI']. I have been seeing some strange urls in there lately, IE Welcome to Intel.

I thought request uri was generated by the server, and pays no attention to the given header information.

One of two things are happening here:
1) I have a breach in my code somewhere, which I don't see how is possible since this code never touches user input.
2) request_uri is sent by the header and is being modified.

Does anyone have any information or tips about this?

I'm not sure the semantics of REQUEST_URI or if it's easy enough to spoof, but if you're having troubles with it, you could try using PHP_SELF. I've never personally ran into troubles with REQUEST_URI being incorrect, but I also haven't ran any high traffic sites.
-m

Isn't REQUEST_URI the URI the browser is requesting so it would be sent by the browser?

Thats what I am trying to figure out. I am a little suprised that it would be this way though coming from the server global variable. But then again, HTTP_REFERER, REQUEST_METHOD, HTTP_USER_AGENT are all set by the browser, so it may very well be.

I just found it interesting that looking through my current list of 'whos online locations, I had several full address urls that have no relation to mine whatsoever. Looks like I may just start defining a variable that describes the page, that way it isn't server generated.

As far as I know it's the URI requested by the browser, as it changes along with the address you type in (which is the URI).