[wp-hackers] Why WP_SITEURL and not $_SERVER['HTTP_HOST']?

Mike Schinkel mikeschinkel at newclarity.net
Tue Mar 30 21:06:46 UTC 2010

On Mar 30, 2010, at 7:37 AM, Jeremy Visser wrote:
>> Anyone know why WordPress doesn't just use $_SERVER['HTTP_HOST'] and
>> instead requires setting of WP_SITEURL (and WP_HOME?)
>> There's obviously a good reason why it wasn't used, right?
>  GET / HTTP/1.1
>  Host: " onclick="nastyCode()" dummy="
> I can't really think of any practical applications for this, but using
> HTTP_HOST is a possible path for arbitrary unfiltered strings to be
> echoed out. My above example is a bit naïve though ? do forgive me.


This would solve that problem, right?

$valid_domains = array(
if (in_array($_SERVER['HTTP_HOST']),$valid_domains))

On Mar 30, 2010, at 7:19 AM, Mike Little wrote:
> On 30 March 2010 11:32, Mike Schinkel <mikeschinkel at newclarity.net> wrote:
>> The follow up is: Why then don't we just store "a/b/c/d/" to WP_SITEPATH
>> and you get the domain from $_SERVER['HTTP_HOST'] and the port from
>> $_SERVER['SERVER_PORT']?  (we can hardcode the "http(s)", that's okay. :-)
> Because a/b may be the site url (and c/d a page name), or it may be a/b/c;
> there's no way of knowing until it's manually set up.

If it's "a/b", set it as "a/b."  My question *assumed* it was "a/b/c/d" based on your comment and not "a/b."
OTOH, my question really asked why must it be set to "http://example.com/a/b" or "http://example.com/a/b/c/d" instead of just "a/b" or "a/b/c/d."  The distinction between "a/b" and "a/b/c/d" is not relevant to the question. 

> There are (perhaps 'were' now ) places in both WP and WPMU that assumed no
> port number, and, in WPMU, that assume only http.

Then don't set the port number and assume http, that's easy.  Neither of those affect the question which is "why force the domain portion of WP_SITEURL to be set?"

>> IOW, if I were to run this code as
>> early as I can in the bootstrap, what problems might it cause?:
>>       $old_domain = get_option('siteurl');
>>       $new_domain = $_SERVER['HTTP_HOST'];
>>       if ($old_domain != $new_domain) {
>>               $valid_domains = array('dev.examples.com','test.example.com
>> ','stage.example.com','www.example.com');
>>               if (in_array($new_domain,$valid_domains) &&
>> in_array($old_domain,$valid_domains))
>> do_action('switch_domain',array('old'=>$old_domain,'new'=>$new_domain));
>>       }
> I've already written some code like this for a pre-packaged and populated WP
> install, and the *first time* it got used it was installed on
> http://ip.add.re.ss:5017/wrong-path/ -- my code didn't work at all!

Who used it?  Why did this happen?  Was it because you didn't require them to authenticate before the switch?

Was is in active development/deployment situation or was it someone using your code and something without your direct involvement?

> I managed to convince them to accept the path part as pre-defined (otherwise
> internal links would break), but they wouldn't budge on the ip address and
> port number.

Who are "they?"  Sorry, but I'm very confused by the anecdote and would like to understand it better.


More information about the wp-hackers mailing list