On Thu, Sep 8, 2011 at 10:20 AM, Uwe Schindler <theta...@php.net> wrote: > Hi, > >> It seems to be the case but this is not documented anywhere on php.net. >> Instead http://php.net/manual/en/function.apache-request-headers.php say >> "You can also get at the value of the common CGI variables by reading them >> from the environment". > > For the environment is no longer true, most multi-threaded webservers don't > have separate environments for every thread (because they can't). You should > only use $_SERVER! The global $_ENV is only safe to use in php-cli, where
OK, OK. this comment then definitely needs expansion. I didnt even realize it was about $_ENV... > Thanks for pointing that out. Yes, I wrote that NSAPI code and the main idea > was to reflect the HTTP_ server/env variables as Apache / CGI spec does. I > know many other SAPIs don't take care and they are broken for lots of > applications because of this. Insufficient knowledge on the APIs of those > SAPIs prevented me from fixing it there, too.> > I programmed the converter in the NSAPI SAPI that > takes all request headers and transform them to CGI variables. It should > also handle "X-" headers correctly (transformed to "HTTP_X_"). > >> So... is this official enough that I can amend the > reserved.variables.server.php >> and the function.apache-request-headers.php pages stating that every HTTP >> header including custom ones can be found In SERVER (with the odd > security >> exceptions)? > > Theoretically that should be the case, but it isn't for most older SAPIs, > which are partly unmaintained. Also, only NSAPI and ISAPI (as far as I know) > mimic apache_request_headers, this is not part of SAPI spec. The function is > not available in every SAPI. So then how we should proceed with augmenting documentation esp in the light of Zend / Symfony already relying on these headers? The CGI specs (horribly old) say http://tools.ietf.org/html/draft-robinson-www-interface-00 The server is not required to create environment variables for all the headers that it receives. In particular, it may remove any headers carrying authentication information, it may remove headers whose value is available to the script via other variables but it does not say further that "the rest should be created". I tried to check for example the nginx fastcgi documentation itself which superb terse http://wiki.nginx.org/HttpFcgiModule#fastcgi_pass_header and doesnt say which ones are passed by default. A few rows down it says "Determines whether the request headers are passed to the backend as HTTP_* values. Should generally be left on." but -- really opaque. Should the documentation say something like "It's reasonable to expect all custom HTTP headers to be found in $_SERVER but there are a few web servers where this is broken"? Regards NK -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
