I have a few questions about PHP and environment strings, specifically
PATH_INFO and PATH_TRANSLATED .
I am trying to get a clear understand on what these values should be when
created by a web server script mapping implementation (in this case, our
Wildcat! Web Server).
By example, if the URL are:
/public_folder/testscript.php? arguments
/private_folder/testscript.php? arguments
public vs private refers to authentication requiired by web server (enforced
by the web
server based on the folder).
The engine is defined by the script map table, for example:
Extension: .PHP
Engine: d:/php4/php.exe
What would be the PATH_INFO and PATH_TRANSLATED with or without arguments?
I'm asking because it seems to me, from a CGI standard, a PHP call would
look like, for example:
/CGI-BIN/php.exe/public_folder/testscript.php? arguments
Therefore
PATH_INFO=/public_folder/testscript.php? arguments
PATH_TRANSLATED =c:\webserver\p ublic_folder\te stscript.php?ar guments
Is this correct?
Finally, in terms of authentication and security, it is a good idea not to
expose the
direct physical path information to this script? or is this a red-herring
in the sense that any possible malicious script already loaded/installed on
the server has already got into the door?
Thanks in advance
-- hector
PATH_INFO and PATH_TRANSLATED .
I am trying to get a clear understand on what these values should be when
created by a web server script mapping implementation (in this case, our
Wildcat! Web Server).
By example, if the URL are:
/public_folder/testscript.php? arguments
/private_folder/testscript.php? arguments
public vs private refers to authentication requiired by web server (enforced
by the web
server based on the folder).
The engine is defined by the script map table, for example:
Extension: .PHP
Engine: d:/php4/php.exe
What would be the PATH_INFO and PATH_TRANSLATED with or without arguments?
I'm asking because it seems to me, from a CGI standard, a PHP call would
look like, for example:
/CGI-BIN/php.exe/public_folder/testscript.php? arguments
Therefore
PATH_INFO=/public_folder/testscript.php? arguments
PATH_TRANSLATED =c:\webserver\p ublic_folder\te stscript.php?ar guments
Is this correct?
Finally, in terms of authentication and security, it is a good idea not to
expose the
direct physical path information to this script? or is this a red-herring
in the sense that any possible malicious script already loaded/installed on
the server has already got into the door?
Thanks in advance
-- hector