$_SERVER['REQUEST_URI'] ... Server or header generated?
I use a database instead of sessions to keep information about a user. One of my columns tracks the current page that the user is on, and it is simply an update to the table setting the value with $_SERVER['REQUEST_URI']. I have been seeing some strange urls in there lately, IE Welcome to Intel.
I thought request uri was generated by the server, and pays no attention to the given header information.
One of two things are happening here:
1) I have a breach in my code somewhere, which I don't see how is possible since this code never touches user input.
2) request_uri is sent by the header and is being modified.
Does anyone have any information or tips about this?
I'm not sure the semantics of REQUEST_URI or if it's easy enough to spoof, but if you're having troubles with it, you could try using PHP_SELF. I've never personally ran into troubles with REQUEST_URI being incorrect, but I also haven't ran any high traffic sites.
Isn't REQUEST_URI the URI the browser is requesting so it would be sent by the browser?
Thats what I am trying to figure out. I am a little suprised that it would be this way though coming from the server global variable. But then again, HTTP_REFERER, REQUEST_METHOD, HTTP_USER_AGENT are all set by the browser, so it may very well be.
I just found it interesting that looking through my current list of 'whos online locations, I had several full address urls that have no relation to mine whatsoever. Looks like I may just start defining a variable that describes the page, that way it isn't server generated.