Get current domain

Question

I have my site on the server http   www myserver uk com  On this server I have two domains  one com and two com  I would like to get the current domain using PHP  but if I use   SERVER  HTTP HOST   then it is showing me  myserver uk com  instead of  one com or two com  How can I get the domain  and not the server name

User · Answer

I know this might not be entirely on the subject, but in my experience, I find storing WWW-ness of current URL in a variable useful.

Edit: In addition, please see my comment below, to see what this is getting at.

This is important when determining whether to dispatch Ajax calls with "www", or without:

$.ajax("url" : "www.site.com/script.php", ...

$.ajax("url" : "site.com/script.php", ...

When dispatching an Ajax call the domain name must match that of in the browser's address bar, otherwise you will have Uncaught SecurityError in console.

So I came up with this solution to address the issue:

<?php
    substr($_SERVER['SERVER_NAME'], 0, 3) == "www" ? $WWW = true : $WWW = false;

    if ($WWW) {
        /* We have www.example.com */
    } else {
        /* We have example.com */
    }
?>

Then, based on whether $WWW is true, or false run the proper Ajax call.

I know this might sound trivial, but this is such a common problem that is easy to trip over.

User · Answer

Everybody is using the parse url function  but sometimes user may pass the argumet in different format   So as to fix that  I have created the function  Check this out   function fixDomainName  url            strToLower   strtolower trim  url         httpPregReplace   preg replace    http      i        strToLower        httpsPregReplace   preg replace    https      i        httpPregReplace        wwwPregReplace   preg replace    www   i        httpsPregReplace        explodeToArray   explode       wwwPregReplace        finalDomainName   trim  explodeToArray 0        return  finalDomainName      Just pass the URL and get the domain   For example   echo fixDomainName  https   stackoverflow com      will return the result will be  stackoverflow com   And in some situation   echo fixDomainName  stackoverflow com questions id slug      And it will also return stackoverflow com

User · Answer

Try using this    SERVER  SERVER NAME    Or parse     SERVER  REQUEST URI     apache request headers

User · Answer

Using   SERVER  HTTP HOST   gets me  subdomain  maindomain extension  It seems like the easiest solution to me   If you re actually  redirecting  through an iFrame  you could add a GET parameter which states the domain    lt iframe src  myserver uk com domain one com   gt    And then you could set a session variable that persists this data throughout your application

User · Answer

SERVER  HTTP HOST        to get the domain   protocol strpos strtolower   SERVER  SERVER PROTOCOL     https       FALSE    http     https    domainLink  protocol         SERVER  HTTP HOST        domain with protocol   url  protocol         SERVER  HTTP HOST         SERVER  QUERY STRING        protocol domain queryString total   As the   SERVER  SERVER NAME   is not reliable for multi domain hosting

User · Answer

The best use would be  echo   SERVER  HTTP HOST      And it can be used like this   if  strpos   SERVER  HTTP HOST     banana com       false        echo  Yes this is indeed the banana com domain       This code below is a good way to see all the variables in   SERVER in a structured HTML output with your keywords highlighted that halts directly after execution  Since I do sometimes forget which one to use myself - I think this can be nifty    lt  php        Change banana com to the domain you were looking for        wordToHighlight    banana com        serverVarHighlighted   str replace   wordToHighlight    lt span style   background-color  883399  color   FFFFFF    gt     wordToHighlight    lt  span gt       SERVER        echo   lt pre gt        print r  serverVarHighlighted       echo   lt  pre gt        exit      gt

User · Answer

Simply try   echo apache request headers   3

User · Answer

The only secure way of doing this The only guaranteed secure method of retrieving the current domain is to store it in a secure location yourself  Most frameworks take care of storing the domain for you  so you will want to consult the documentation for your particular framework  If you re not using a framework  consider storing the domain in one of the following places         Secure methods of storing the domain                   Used By     A config file   Joomla  Drupal Symfony   The database   WordPress   An environmental variable Laravel     A service registry   Kubernetes DNS    The following work    but they re not secure Hackers can make the following variables output whatever domain they want  This can lead to cache poisoning and barely noticeable phishing attacks    SERVER  HTTP HOST    This gets the domain from the request headers which are open to manipulation by hackers  Same with    SERVER  SERVER NAME    This one can be made better if the Apache setting usecanonicalname is turned off  in which case   SERVER  SERVER NAME   will no longer be allowed to be populated with arbitrary values and will be secure  This is  however  non-default and not as common of a setup  In popular systems Below is how you can get the current domain in the following frameworks systems  WordPress  urlparts   parse url home url      domain    urlparts  host     If you re constructing a URL in WordPress  just use home url or site url  or any of the other URL functions  Laravel request  - gt getHost    The request  - gt getHost function is inherited from Symfony  and has been secure since the 2013 CVE-2013-4752 was patched  Drupal The installer does not yet take care of making this secure  issue  2404259   But in Drupal 8 there is documentation you can you can follow at Trusted Host Settings to secure your Drupal installation after which the following can be used   Drupal  request  - gt getHost      Other frameworks Feel free to edit this answer to include how to get the current domain in your favorite framework  When doing so  please include a link to the relevant source code or to anything else that would help me verify that the framework is doing things securely   Addendum Exploitation examples   Cache poisoning can happen if a botnet continuously requests a page using the wrong hosts header  The resulting HTML will then include links to the attackers website where they can phish your users  At first the malicious links will only be sent back to the hacker  but if the hacker does enough requests  the malicious version of the page will end up in your cache where it will be distributed to other users   A phishing attack can happen if you store links in the database based on the hosts header  For example  let say you store the absolute URL to a user s profiles on a forum  By using the wrong header  a hacker could get anyone who clicks on their profile link to be sent a phishing site   Password reset poisoning can happen if a hacker uses a malicious hosts header when filling out the password reset form for a different user  That user will then get an email containing a password reset link that leads to a phishing site  Another more complex form of this skips the user having to do anything by getting the email to bounce and resend to one of the hacker s SMTP servers  for example CVE-2017-8295    Here are some more malicious examples   Additional Caveats and Notes   When usecanonicalname is turned off the   SERVER  SERVER NAME   is populated with the same header   SERVER  HTTP HOST   would have used anyways  plus the port   This is Apache s default setup  If you or devops turns this on then you re okay -- ish -- but do you really want to rely on a separate team  or yourself three years in the future  to keep what would appear to be a minor configuration at a non-default value  Even though this makes things secure  I would caution against relying on this setup  Redhat  however  does turn usecanonical on by default  source   If serverAlias is used in the virtual hosts entry  and the aliased domain is requested    SERVER  SERVER NAME   will not return the current domain  but will return the value of the serverName directive  If the serverName cannot be resolved  the operating system s hostname command is used in its place  source   If the host header is left out  the server will behave as if usecanonical was on  source   Lastly  I just tried exploiting this on my local server  and was unable to spoof the hosts header  I m not sure if there was an update to Apache that addressed this  or if I was just doing something wrong  Regardless  this header would still be exploitable in environments where virtual hosts are not being used   Little Rant            This question received hundreds of thousands of views without a single mention of the security problems at hand  It shouldn t be this way  but just because a Stack Overflow answer is popular  that doesn t mean it is secure

User · Answer

Try   SERVER  SERVER NAME     Tips  Create a PHP file that calls the function phpinfo   and see the  PHP Variables  section  There are a bunch of useful variables we never think of there

[php] Get current domain

Examples related to php

Examples related to url

Examples related to php-5.2