I'm writing an app using php and have been looking into security issues. I'd like to know how the following code grabs browser information and how it is passed from the browser to the server:
$_SERVER['HTTP_USER_AGENT']
$_SERVER['REMOTE_ADDR']
gethostbyaddr($_SERVER['REMOTE_ADDR'])
Is this information encrypted when it's passed from the client PC to the server? Would it be easy for a hacker to steal this data?
Browser -> Apache -> PHP
Spoofing/Faking $_SERVER variables other than HTTP, is difficult as there are some handshakes between your Apache and Browser so if someone tries to spoof these variables he will not receive any response. For example if someone tries to spoof REMOTE_ADDR, it is probable that the request will not be completed.
On the other hand all the variables that start from HTTP_ are easy to spoof and they are sent to PHP just as received by Apache from the Browser. So for example user can write a Curl script with a custom User Agent (HTTP_USER_AGENT) and you will receive the response as it is.
$SERVER this super global var is passed from web server instead PHP, but some of them is reference by the HTTP request header, let say with prefix "HTTP" is generated by client (request header), and REMOTE_ADDR is the address on TCP level, not a arbitrary but also no guarantee.
Essentially the PHP script gets these variables from the web server. On the manual page, there is a list of the variable names, and their descriptions.
So to answer your question shortly, they are gotten from the Web Server you are using.
If someone was to try to fake an example, like $_SERVER['REMOTE_ADDR'], there is information on how it can be done here, though I've never looked into it.
Hope this helps in some way :)
HTTP_USER_AGENTis not something you can trust.REMOTE_ADDRcan also be the IP of the load balancer or proxy server, so you should check for the headerX-Forwarded-Foras well. What security issues are you trying to solve anyway?