Hi, > It seems to be the case but this is not documented anywhere on php.net. > Instead http://php.net/manual/en/function.apache-request-headers.php say > "You can also get at the value of the common CGI variables by reading them > from the environment".
For the environment is no longer true, most multi-threaded webservers don't have separate environments for every thread (because they can't). You should only use $_SERVER! The global $_ENV is only safe to use in php-cli, where you have an defined environment, but not inside webservers. Only apache currently sets the $_ENV equally to the $_SERVER, but only when used in prefork mode (not on windows). > This comment > http://www.php.net/manual/en/reserved.variables.server.php#87195 > from 2008 concurs. Zend and Symphony both seems to be happy to read even > X- custom headers from SERVER without bothering with > apace_request_headers() or anything like that. > > I have tried to read some SAPI code and while most of them are a bit obscure, > to the best of my understanding at least nsapi.c copies every request header > (ok, there are very few exceptions, but certainly doesnt care about custom > ones). Thanks for pointing that out. Yes, I wrote that NSAPI code and the main idea was to reflect the HTTP_ server/env variables as Apache / CGI spec does. I know many other SAPIs don't take care and they are broken for lots of applications because of this. Insufficient knowledge on the APIs of those SAPIs prevented me from fixing it there, too. Apache SAPIs are safe, because they don't take care what variables to register, because they take what Apache itself uses as request variables (so it simply clones the Apache request environment). And those variables are the ones that everybody expect. To mimic Apache's behavior (which is also defined in CGI/1.1 spec, but "optional" only), I programmed the converter in the NSAPI SAPI that takes all request headers and transform them to CGI variables. It should also handle "X-" headers correctly (transformed to "HTTP_X_"). > So... is this official enough that I can amend the reserved.variables.server.php > and the function.apache-request-headers.php pages stating that every HTTP > header including custom ones can be found In SERVER (with the odd security > exceptions)? Theoretically that should be the case, but it isn't for most older SAPIs, which are partly unmaintained. Also, only NSAPI and ISAPI (as far as I know) mimic apache_request_headers, this is not part of SAPI spec. The function is not available in every SAPI. Uwe -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
