Is there a good alternative to $_SERVER['SERVER_NAME']?

Question

I read the following comment on PHP doc pages:

"Be warned that most contents of the Server-Array (even $_SERVER['SERVER_NAME']) are provided by the client and can be manipulated. They can also be used for injections and thus MUST be checked and treated like any other user input."

An then I saw a topic here on StackOverflow saying that $_SERVER['SERVER_NAME'] is partly server controlled.

Can I trust on this value to get the url of my website? If I can't really trust $_SERVER['SERVER_NAME'], how can I get this value? What are some possible alternatives and their pro and cons?

OBS: PHP 5.3 on Apache, Unix.

Answer 1

You can enforce this variable's safety by enabling the UseCanonicalName directive inside your Apache configuration, as described there http://www.apacheref.com/ref/http_core/UseCanonicalName.html

Answer 2

I usually hardcode the 'real' url to my website into a site configuration file. I wouldn't rely on what Apache 'says' to tell you your url. Do you have several different vhost or server aliases pointing to the same docroot?