My PHP scripts are able to write to the superglobal array $_SERVER.
Whilst messing with $_SERVER is pretty obviously a bad idea in almost all cases, there may be situations where it could be useful as a short-term band-aid or for some kinds of testing. Can I rely on it being writeable by scripts, or is this something that might be:
- different for different servers or PHP versions?
- controllable by some ini setting?
The PHP docs don’t appear to specify whether S_SERVER should be, or might be, read-only. They do imply that it’s just a variable, and therefore writeable like any other variable. However, since it’s a rather special variable, it seems reasonable to ask the question. It’s very easy to show $_SERVER being modified on a real PHP web page:
<?php
$uri = $_SERVER['REQUEST_URI'];
$_SERVER['REQUEST_URI'] = "test-value";
echo '<pre>
Before: "'.$uri.'"
After : "'.$_SERVER['REQUEST_URI'].'"
</pre>';
die();
>Solution :
All superglobals are writable.